Updates from: 01/27/2021 04:10:10
Service Microsoft Docs article Related commit history on GitHub Change details
active-directory-b2c https://docs.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-operations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory-b2c/microsoft-graph-operations.md a/articles/active-directory-b2c/microsoft-graph-operations.md
@@ -18,7 +18,7 @@
Microsoft Graph allows you to manage resources in your Azure AD B2C directory. The following Microsoft Graph API operations are supported for the management of Azure AD B2C resources, including users, identity providers, user flows, custom policies, and policy keys. Each link in the following sections targets the corresponding page within the Microsoft Graph API reference for that operation.
-## Perquisites
+## Prerequisites
To use MS Graph API, and interact with resources in your Azure AD B2C tenant, you need an application registration that grants the permissions to do so. Follow the steps in the [Manage Azure AD B2C with Microsoft Graph](microsoft-graph-get-started.md) article to create an application registration that your management application can use.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/app-provisioning/functions-for-customizing-application-data https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/app-provisioning/functions-for-customizing-application-data.md a/articles/active-directory/app-provisioning/functions-for-customizing-application-data.md
@@ -535,7 +535,7 @@ Requires a minimum of two arguments, which are unique value generation rules def
- This is a top-level function, it cannot be nested. - This function cannot be applied to attributes that have a matching precedence. - This function is only meant to be used for entry creations. When using it with an attribute, set the **Apply Mapping** property to **Only during object creation**.
+ - This function is currently only supported for "Workday to Active Directory User Provisioning" and "SuccessFactors to Active Directory User Provisioning". It cannot be used with other provisioning applications.
**Parameters:**
active-directory https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/block-legacy-authentication https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/conditional-access/block-legacy-authentication.md a/articles/active-directory/conditional-access/block-legacy-authentication.md
@@ -123,4 +123,4 @@ To block B2B user access via legacy authentication to SharePoint Online, organiz
- [Determine impact using Conditional Access report-only mode](howto-conditional-access-insights-reporting.md) - If you are not familiar with configuring Conditional Access policies yet, see [require MFA for specific apps with Azure Active Directory Conditional Access](../authentication/tutorial-enable-azure-mfa.md) for an example. - For more information about modern authentication support, see [How modern authentication works for Office 2013 and Office 2016 client apps](/office365/enterprise/modern-auth-for-office-2013-and-2016) -- [How to set up a multifunction device or application to send email using Microsoft 365](/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-office-3)
+- [How to set up a multifunction device or application to send email using Microsoft 365](/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365)
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-block-legacy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/conditional-access/howto-conditional-access-policy-block-legacy.md a/articles/active-directory/conditional-access/howto-conditional-access-policy-block-legacy.md
@@ -49,4 +49,4 @@ The following steps will help create a Conditional Access policy to block legacy
[Simulate sign in behavior using the Conditional Access What If tool](troubleshoot-conditional-access-what-if.md)
-[How to set up a multifunction device or application to send email using Microsoft 365](/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-office-3)
+[How to set up a multifunction device or application to send email using Microsoft 365](/exchange/mail-flow-best-practices/how-to-set-up-a-multifunction-device-or-application-to-send-email-using-microsoft-365-or-office-365)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-certificate-credentials https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/active-directory-certificate-credentials.md a/articles/active-directory/develop/active-directory-certificate-credentials.md
@@ -20,7 +20,7 @@
The Microsoft identity platform allows an application to use its own credentials for authentication anywhere a client secret could be used, for example, in the OAuth 2.0 [client credentials grant](v2-oauth2-client-creds-grant-flow.md) flow and the [on-behalf-of](v2-oauth2-on-behalf-of-flow.md) (OBO) flow.
-One form of credential that an application can use for authentication is a [JSON Web Token](./security-tokens.md#json-web-tokens-jwts-and-claims) (JWT) assertion signed with a certificate that the application owns.
+One form of credential that an application can use for authentication is a [JSON Web Token](./security-tokens.md#json-web-tokens-and-claims) (JWT) assertion signed with a certificate that the application owns.
## Assertion format
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/application-model https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/application-model.md a/articles/active-directory/develop/application-model.md
@@ -1,7 +1,7 @@
Title: Application model | Azure
-description: Learn about the process of registering your application so it can integrate with Microsoft identity platform.
+description: Learn about the process of registering your application so it can integrate with the Microsoft identity platform.
@@ -14,41 +14,41 @@ Last updated 04/28/2020
-#Customer intent: As an application developer, I want to understand how to register an application so it can integrate with Microsoft identity platform
+#Customer intent: As an application developer, I want to understand how to register an application so it can integrate with the Microsoft identity platform.
# Application model
-Applications can sign in users themselves or delegate sign-in to an identity provider. This topic discusses the steps that are required to register an application with Microsoft identity platform.
+Applications can sign in users themselves or delegate sign-in to an identity provider. This article discusses the steps that are required to register an application with the Microsoft identity platform.
-## Registering an application
+## Register an application
-For an identity provider to know that a user has access to a particular app, both the user and the application must be registered with the identity provider. When you register your application with Azure AD, you are providing an identity configuration for your application that allows it to integrate with Microsoft identity platform. Registering the app also allows you to:
+For an identity provider to know that a user has access to a particular app, both the user and the application must be registered with the identity provider. When you register your application with Azure Active Directory (Azure AD), you're providing an identity configuration for your application that allows it to integrate with the Microsoft identity platform. Registering the app also allows you to:
-* Customize the branding of your application in the sign-in dialog. This is important because this is the first experience a user will have with your app.
-* Decide if you want to let users sign in only if they belong to your organization. This is a single tenant application. Or allow users to sign in using any work or school account. This is a multi-tenant application. You can also allow personal Microsoft accounts, or a social account from LinkedIn, Google, and so on.
+* Customize the branding of your application in the sign-in dialog box. This branding is important because signing in is the first experience a user will have with your app.
+* Decide if you want to allow users to sign in only if they belong to your organization. This architecture is known as a single-tenant application. Or, you can allow users to sign in by using any work or school account, which is known as a multi-tenant application. You can also allow personal Microsoft accounts or a social account from LinkedIn, Google, and so on.
* Request scope permissions. For example, you can request the "user.read" scope, which grants permission to read the profile of the signed-in user. * Define scopes that define access to your web API. Typically, when an app wants to access your API, it will need to request permissions to the scopes you define.
-* Share a secret with the Microsoft identity platform that proves the app's identity. This is relevant in the case where the app is a confidential client application. A confidential client application is an application that can hold credentials securely. They require a trusted backend server to store the credentials.
+* Share a secret with the Microsoft identity platform that proves the app's identity. Using a secret is relevant in the case where the app is a confidential client application. A confidential client application is an application that can hold credentials securely. A trusted back-end server is required to store the credentials.
-Once registered, the application will be given a unique identifier that the app shares with the Microsoft identity platform when it requests tokens. If the app is a [confidential client application](developer-glossary.md#client-application), it will also share the secret or the public key-depending on whether certificates or secrets were used.
+After the app is registered, it's given a unique identifier that it shares with the Microsoft identity platform when it requests tokens. If the app is a [confidential client application](developer-glossary.md#client-application), it will also share the secret or the public key depending on whether certificates or secrets were used.
-The Microsoft identity platform represents applications using a model that fulfills two main functions:
+The Microsoft identity platform represents applications by using a model that fulfills two main functions:
-* Identify the app by the authentication protocols it supports
-* Provide all the identifiers, URLs, secrets, and related information that are needed to authenticate
+* Identify the app by the authentication protocols it supports.
+* Provide all the identifiers, URLs, secrets, and related information that are needed to authenticate.
The Microsoft identity platform:
-* Holds all the data required to support authentication at runtime
-* Holds all the data for deciding what resources an app might need to access, and under what circumstances a given request should be fulfilled
-* Provides infrastructure for implementing app provisioning within the app developer's tenant, and to any other Azure AD tenant
-* Handles user consent during token request time and facilitate the dynamic provisioning of apps across tenants
+* Holds all the data required to support authentication at runtime.
+* Holds all the data for deciding what resources an app might need to access, and under what circumstances a given request should be fulfilled.
+* Provides infrastructure for implementing app provisioning within the app developer's tenant, and to any other Azure AD tenant.
+* Handles user consent during token request time and facilitates the dynamic provisioning of apps across tenants.
-**Consent** is the process of a resource owner granting authorization for a client application to access protected resources, under specific permissions, on behalf of the resource owner. Microsoft identity platform:
+*Consent* is the process of a resource owner granting authorization for a client application to access protected resources, under specific permissions, on behalf of the resource owner. The Microsoft identity platform enables:
-* Enables users and administrators to dynamically grant or deny consent for the app to access resources on their behalf.
-* Enables administrators to ultimately decide what apps are allowed to do and which users can use specific apps, and how the directory resources are accessed.
+* Users and administrators to dynamically grant or deny consent for the app to access resources on their behalf.
+* Administrators to ultimately decide what apps are allowed to do and which users can use specific apps, and how the directory resources are accessed.
## Multi-tenant apps
@@ -59,28 +59,28 @@ The following diagram shows a simplified Microsoft identity platform provisionin
* *Tenant A* owns the application. * *Tenant B* is instantiating the application via a service principal.
-![Simplified provisioning flow driven by consent](./media/authentication-scenarios/simplified-provisioning-flow-consent-driven.svg)
+![Diagram that shows a simplified provisioning flow driven by consent.](./media/authentication-scenarios/simplified-provisioning-flow-consent-driven.svg)
In this provisioning flow:
-1. A user from tenant B attempts to sign in with the app, the authorization endpoint requests a token for the application.
+1. A user from tenant B attempts to sign in with the app. The authorization endpoint requests a token for the application.
1. The user credentials are acquired and verified for authentication. 1. The user is prompted to provide consent for the app to gain access to tenant B. 1. The Microsoft identity platform uses the application object in tenant A as a blueprint for creating a service principal in tenant B. 1. The user receives the requested token.
-You can repeat this process for additional tenants. Tenant A retains the blueprint for the app (application object). Users and admins of all the other tenants where the app is given consent keep control over what the application is allowed to do via the corresponding service principal object in each tenant. For more information, see [Application and service principal objects in Microsoft identity platform](app-objects-and-service-principals.md).
+You can repeat this process for more tenants. Tenant A retains the blueprint for the app (application object). Users and admins of all the other tenants where the app is given consent keep control over what the application is allowed to do via the corresponding service principal object in each tenant. For more information, see [Application and service principal objects in the Microsoft identity platform](app-objects-and-service-principals.md).
## Next steps
-For other topics covering authentication and authorization basics:
+For more information about authentication and authorization in the Microsoft identity platform, see the following articles:
-* See [Authentication vs. authorization](authentication-vs-authorization.md) to learn about the basic concepts of authentication and authorization in Microsoft identity platform.
-* See [Security tokens](security-tokens.md) to learn how access tokens, refresh tokens, and ID tokens are used in authentication and authorization.
-* See [App sign-in flow](app-sign-in-flow.md) to learn about the sign-in flow of web, desktop, and mobile apps in Microsoft identity platform.
+* To learn about the basic concepts of authentication and authorization, see [Authentication vs. authorization](authentication-vs-authorization.md).
+* To learn how access tokens, refresh tokens, and ID tokens are used in authentication and authorization, see [Security tokens](security-tokens.md).
+* To learn about the sign-in flow of web, desktop, and mobile apps, see [App sign-in flow](app-sign-in-flow.md).
-To learn more about the application model:
+For more information about the application model, see the following articles:
-* See [How and why applications are added to Azure AD](active-directory-how-applications-are-added.md) for more information on application objects and service principals in Microsoft identity platform.
-* See [Tenancy in Azure Active Directory](single-and-multi-tenant-apps.md) for more information on single-tenant apps and multi-tenant apps.
-* See [Azure Active Directory B2C documentation](../../active-directory-b2c/index.yml) for more information on how Azure AD also provides Azure Active Directory B2C so that organizations can sign in users, typically customers, using social identities like a Google account.
\ No newline at end of file
+* For more information on application objects and service principals in the Microsoft identity platform, see [How and why applications are added to Azure AD](active-directory-how-applications-are-added.md).
+* For more information on single-tenant apps and multi-tenant apps, see [Tenancy in Azure Active Directory](single-and-multi-tenant-apps.md).
+* For more information on how Azure AD also provides Azure Active Directory B2C so that organizations can sign in users, typically customers, by using social identities like a Google account, see [Azure Active Directory B2C documentation](../../active-directory-b2c/index.yml).
\ No newline at end of file
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/configure-token-lifetimes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/configure-token-lifetimes.md a/articles/active-directory/develop/configure-token-lifetimes.md
@@ -80,7 +80,7 @@ In this example, you create a policy that requires users to authenticate more fr
## Create token lifetime policies for refresh and session tokens > [!IMPORTANT]
-> As of May 2020, new tenants can not configure refresh and session token lifetimes. Tenants with existing configuration can modify refresh and session token policies until January 30, 2021. Azure Active Directory will stop honoring existing refresh and session token configuration in policies after January 30, 2021. You can still configure access, SAML, and ID token lifetimes after the retirement.
+> As of May 2020, new tenants cannot configure refresh and session token lifetimes. Tenants with existing configuration can modify refresh and session token policies until January 30, 2021. Azure Active Directory will stop honoring existing refresh and session token configuration in policies after January 30, 2021. You can still configure access, SAML, and ID token lifetimes after the retirement.
> > If you need to continue to define the time period before a user is asked to sign in again, configure sign-in frequency in Conditional Access. To learn more about Conditional Access, read [Configure authentication session management with Conditional Access](../conditional-access/howto-conditional-access-session-lifetime.md). >
@@ -206,4 +206,4 @@ In this example, you create a few policies to learn how the priority system work
You now have the original policy linked to your service principal, and the new policy is set as your organization default policy. It's important to remember that policies applied to service principals have priority over organization default policies. ## Next steps
-Learn about [authentication session management capabilities](../conditional-access/howto-conditional-access-session-lifetime.md) in Azure AD Conditional Access.
\ No newline at end of file
+Learn about [authentication session management capabilities](../conditional-access/howto-conditional-access-session-lifetime.md) in Azure AD Conditional Access.
active-directory https://docs.microsoft.com/en-us/azure/active-directory/develop/security-tokens https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/develop/security-tokens.md a/articles/active-directory/develop/security-tokens.md
@@ -14,77 +14,77 @@ Last updated 05/11/2020
-#Customer intent: As an application developer, I want to understand the basic concepts of security tokens in Microsoft identity platform
+#Customer intent: As an application developer, I want to understand the basic concepts of security tokens in the Microsoft identity platform.
# Security tokens
-A centralized identity provider is especially useful for apps that have users located around the globe that don't necessarily sign in from the enterprise's network. The Microsoft identity platform authenticates users and provides security tokens, such as [access token](developer-glossary.md#access-token), [refresh token](developer-glossary.md#refresh-token), and [ID token](developer-glossary.md#id-token), that allow a [client application](developer-glossary.md#client-application) to access protected resources on a [resource server](developer-glossary.md#resource-server).
+A centralized identity provider is especially useful for apps that have users located around the globe who don't necessarily sign in from the enterprise's network. The Microsoft identity platform authenticates users and provides security tokens, such as [access tokens](developer-glossary.md#access-token), [refresh tokens](developer-glossary.md#refresh-token), and [ID tokens](developer-glossary.md#id-token). Security tokens allow a [client application](developer-glossary.md#client-application) to access protected resources on a [resource server](developer-glossary.md#resource-server).
-An **access token** is a security token that is issued by an [authorization server](developer-glossary.md#authorization-server) as part of an [OAuth 2.0](active-directory-v2-protocols.md) flow. It contains information about the user and the app for which the token is intended; which can be used to access web APIs and other protected resources. To learn more about how the Microsoft identity platform issues access tokens, see [Access tokens](access-tokens.md).
+**Access token**: An access token is a security token that's issued by an [authorization server](developer-glossary.md#authorization-server) as part of an [OAuth 2.0](active-directory-v2-protocols.md) flow. It contains information about the user and the resource for which the token is intended. The information can be used to access web APIs and other protected resources. Access tokens are validated by resources to grant access to a client app. To learn more about how the Microsoft identity platform issues access tokens, see [Access tokens](access-tokens.md).
-Access tokens are only valid for a short period of time, so authorization servers will sometimes issue a **refresh token** at the same time the access token is issued. The client application can then exchange this refresh token for a new access token when needed. To learn more about how the Microsoft identity platform uses refresh tokens to revoke permissions, see [Token revocation](access-tokens.md#token-revocation).
+**Refresh token**: Because access tokens are valid for only a short period of time, authorization servers will sometimes issue a refresh token at the same time the access token is issued. The client application can then exchange this refresh token for a new access token when needed. To learn more about how the Microsoft identity platform uses refresh tokens to revoke permissions, see [Token revocation](access-tokens.md#token-revocation).
-**ID tokens** are sent to the client application as part of an [OpenID Connect](v2-protocols-oidc.md) flow. They can be sent along side or instead of an access token, and are used by the client to authenticate the user. To learn more about how the Microsoft identity platform issues ID tokens, see [ID tokens](id-tokens.md).
+**ID token**: ID tokens are sent to the client application as part of an [OpenID Connect](v2-protocols-oidc.md) flow. They can be sent alongside or instead of an access token. ID tokens are used by the client to authenticate the user. To learn more about how the Microsoft identity platform issues ID tokens, see [ID tokens](id-tokens.md).
> [!NOTE]
-> This article discusses security tokens used by the OAuth2 and OpenID Connect protocols. Many enterprise applications use SAML to authenticate users. See [Azure AD SAML token reference](reference-saml-tokens.md) for information on SAML assertions.
+> This article discusses security tokens used by the OAuth2 and OpenID Connect protocols. Many enterprise applications use SAML to authenticate users. For information on SAML assertions, see [Azure Active Directory SAML token reference](reference-saml-tokens.md).
-## Validating security tokens
+## Validate security tokens
-It's up to the app for which the token was generated, the web app that signed-in the user, or the web API being called, to validate the token. The token is signed by the **Security Token Server (STS)** with a private key. The STS publishes the corresponding public key. To validate a token, the app verifies the signature by using the STS public key to validate that the signature was created using the private key.
+It's up to the app for which the token was generated, the web app that signed in the user, or the web API being called to validate the token. The token is signed by the authorization server with a private key. The authorization server publishes the corresponding public key. To validate a token, the app verifies the signature by using the authorization server public key to validate that the signature was created using the private key.
-Tokens are only valid for a limited amount of time. Usually the STS provides a pair of tokens:
+Tokens are valid for only a limited amount of time. Usually, the authorization server provides a pair of tokens, such as:
-* An access token to access the application or protected resource, and
-* A refresh token used to refresh the access token when the access token is close to expiring.
+* An access token, which accesses the application or protected resource.
+* A refresh token, which is used to refresh the access token when the access token is close to expiring.
-Access tokens are passed to a web API as the bearer token in the `Authorization` header. An app can provide a refresh token to the STS, and if the user access to the app wasn't revoked, it will get back a new access token and a new refresh token. This is how the scenario of someone leaving the enterprise is handled. When the STS receives the refresh token, it won't issue another valid access token if the user is no longer authorized.
+Access tokens are passed to a web API as the bearer token in the `Authorization` header. An app can provide a refresh token to the authorization server. If the user access to the app wasn't revoked, it will get back a new access token and a new refresh token. This is how the scenario of someone leaving the enterprise is handled. When the authorization server receives the refresh token, it won't issue another valid access token if the user is no longer authorized.
-## JSON Web Tokens (JWTs) and claims
+## JSON Web Tokens and claims
-The Microsoft identity platform implements security tokens as **JSON Web Tokens (JWTs)** that contain **claims**. Since JWTs are used as security tokens, this form of authentication is sometimes called **JWT authentication**.
+The Microsoft identity platform implements security tokens as JSON Web Tokens (JWTs) that contain *claims*. Since JWTs are used as security tokens, this form of authentication is sometimes called *JWT authentication*.
-A [claim](developer-glossary.md#claim) provides assertions about one entity, such as a client application or [resource owner](developer-glossary.md#resource-owner), to another entity, such as a resource server. A claim may also be referred to as a JWT claim or JSON Web Token claim.
+A [claim](developer-glossary.md#claim) provides assertions about one entity, such as a client application or [resource owner](developer-glossary.md#resource-owner), to another entity, such as a resource server. A claim might also be referred to as a JWT claim or a JSON Web Token claim.
-Claims are name/value pairs that relay facts about the token subject. For example, a claim may contain facts about the security principal that was authenticated by the authorization server. The claims present in a given token depend on many things, including the type of token, the type of credential used to authenticate the subject, the application configuration, and so on.
+Claims are name or value pairs that relay facts about the token subject. For example, a claim might contain facts about the security principal that was authenticated by the authorization server. The claims present in a specific token depend on many things, such as the type of token, the type of credential used to authenticate the subject, and the application configuration.
-Applications can use claims for various tasks such as:
+Applications can use claims for various tasks, such as to:
-* Validating the token
-* Identifying the token subject's [tenant](developer-glossary.md#tenant)
-* Displaying user information
-* Determining the subject's authorization
+* Validate the token.
+* Identify the token subject's [tenant](developer-glossary.md#tenant).
+* Display user information.
+* Determine the subject's authorization.
A claim consists of key-value pairs that provide information such as the:
-* Security Token Server that generated the token
-* Date when the token was generated
-* Subject (such as the user--except for daemons)
-* Audience, which is the app for which the token was generated
-* App (the client) that asked for the token. In the case of web apps, this may be the same as the audience
+* Security Token Server that generated the token.
+* Date when the token was generated.
+* Subject (such as the user--except for daemons).
+* Audience, which is the app for which the token was generated.
+* App (the client) that asked for the token. In the case of web apps, this app might be the same as the audience.
-To learn more about how the Microsoft identity platform implements tokens and claim information, see [access tokens](access-tokens.md) and [ID tokens](id-tokens.md).
+To learn more about how the Microsoft identity platform implements tokens and claim information, see [Access tokens](access-tokens.md) and [ID tokens](id-tokens.md).
## How each flow emits tokens and codes
-Depending on how your client is built, it can use one (or several) of the authentication flows supported by Microsoft identity platform. These flows can produce a variety of tokens (ID tokens, refresh tokens, access tokens) as well as authorization codes, and require different tokens to make them work. This chart provides an overview:
+Depending on how your client is built, it can use one (or several) of the authentication flows supported by the Microsoft identity platform. These flows can produce various tokens (ID tokens, refresh tokens, access tokens) and authorization codes. They require different tokens to make them work. This table provides an overview.
-|Flow | Requires | ID token | access token | refresh token | authorization code |
+|Flow | Requires | ID token | Access token | Refresh token | Authorization code |
|--|-|-|--||--| |[Authorization code flow](v2-oauth2-auth-code-flow.md) | | x | x | x | x| |[Implicit flow](v2-oauth2-implicit-grant-flow.md) | | x | x | | | |[Hybrid OIDC flow](v2-protocols-oidc.md#protocol-diagram-access-token-acquisition)| | x | | | x |
-|[Refresh token redemption](v2-oauth2-auth-code-flow.md#refresh-the-access-token) | refresh token | x | x | x| |
-|[On-behalf-of flow](v2-oauth2-on-behalf-of-flow.md) | access token| x| x| x| |
-|[Client credentials](v2-oauth2-client-creds-grant-flow.md) | | | x (app-only)| | |
+|[Refresh token redemption](v2-oauth2-auth-code-flow.md#refresh-the-access-token) | Refresh token | x | x | x| |
+|[On-behalf-of flow](v2-oauth2-on-behalf-of-flow.md) | Access token| x| x| x| |
+|[Client credentials](v2-oauth2-client-creds-grant-flow.md) | | | x (App only)| | |
-Tokens issued via the implicit mode have a length limitation due to being passed back to the browser via the URL (where `response_mode` is `query` or `fragment`). Some browsers have a limit on the size of the URL that can be put in the browser bar and fail when it is too long. Thus, these tokens do not have `groups` or `wids` claims.
+Tokens issued via the implicit mode have a length limitation because they're passed back to the browser via the URL, where `response_mode` is `query` or `fragment`. Some browsers have a limit on the size of the URL that can be put in the browser bar and fail when it's too long. As a result, these tokens don't have `groups` or `wids` claims.
## Next steps
-For other topics covering authentication and authorization basics:
+For more information about authentication and authorization in the Microsoft identity platform, see the following articles:
-* See [Authentication vs. authorization](authentication-vs-authorization.md) to learn about the basic concepts of authentication and authorization in Microsoft identity platform.
-* See [Application model](application-model.md) to learn about the process of registering your application so it can integrate with Microsoft identity platform.
-* See [App sign-in flow](app-sign-in-flow.md) to learn about the sign-in flow of web, desktop, and mobile apps in Microsoft identity platform.
+* To learn about the basic concepts of authentication and authorization, see [Authentication vs. authorization](authentication-vs-authorization.md).
+* To learn about registering your application for integration, see [Application model](application-model.md).
+* To learn about the sign-in flow of web, desktop, and mobile apps, see [App sign-in flow](app-sign-in-flow.md).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/external-identities/conditional-access https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/external-identities/conditional-access.md a/articles/active-directory/external-identities/conditional-access.md
@@ -6,7 +6,7 @@
Previously updated : 09/11/2017 Last updated : 01/21/2020
@@ -18,31 +18,72 @@
# Conditional Access for B2B collaboration users
-## Multi-factor authentication for B2B users
-With Azure AD B2B collaboration, organizations can enforce multi-factor authentication (MFA) policies for B2B users. These policies can be enforced at the tenant, app, or individual user level, the same way that they are enabled for full-time employees and members of the organization. MFA policies are enforced at the resource organization.
+This article describes how organizations can scope Conditional Access (CA) policies for B2B guest users to access their resources.
+>[!NOTE]
+>This authentication or authorization flow is a bit different for guest users than for the existing users of that Identity provider (IdP).
-Example:
-1. Admin or information worker in Company A invites user from company B to an application *Foo* in company A.
-2. Application *Foo* in company A is configured to require MFA on access.
-3. When the user from company B attempts to access app *Foo* in the company A tenant, they are asked to complete an MFA challenge.
-4. The user can set up their MFA with company A, and chooses their MFA option.
-5. This scenario works for any identity (Azure AD or MSA, for example, if users in Company B authenticate using social ID)
-6. Company A must have sufficient Premium Azure AD licenses that support MFA. The user from company B consumes this license from company A.
+## Authentication flow for B2B guest users from an external directory
-The inviting tenancy is always responsible for MFA for users from the partner organization, even if the partner organization has MFA capabilities.
+The following diagram illustrates the flow:
+![image shows Authentication flow for B2B guest users from an external directory](./media/conditional-access-b2b/authentication-flow-b2b-guests.png)
-### Setting up MFA for B2B collaboration users
-To discover how easy it is to set up MFA for B2B collaboration users, see how in the following video:
+| Step | Description |
+|--|--|
+| 1. | The B2B guest user requests access to a resource. The resource redirects the user to its resource tenant, a trusted IdP.|
+| 2. | The resource tenant identifies the user as external and redirects the user to the B2B guest userΓÇÖs IdP. The user performs primary authentication in the IdP.
+| 3. | The B2B guest userΓÇÖs IdP issues a token to the user. The user is redirected back to the resource tenant with the token. The resource tenant validates the token and then evaluates the user against its CA policies. For example, the resource tenant could require the user to perform Azure Active Directory (AD) Multi-Factor Authentication.
+| 4. | Once all resource tenant CA policies are satisfied, the resource tenant issues its own token and redirects the user to its resource.
+
+## Authentication flow for B2B guest users with one time passcode
+
+The following diagram illustrates the flow:
+![image shows Authentication flow for B2B guest users with one time passcode](./media/conditional-access-b2b/authentication-flow-b2b-guests-otp.png)
+
+| Step | Description |
+|--|--|
+| 1. |The user requests access to a resource in another tenant. The resource redirects the user to its resource tenant, a trusted IdP.|
+| 2. | The resource tenant identifies the user as an [external email one-time passcode (OTP) user](https://docs.microsoft.com/azure/active-directory/external-identities/one-time-passcode) and sends an email with the OTP to the user.|
+| 3. | The user retrieves the OTP and submits the code. The resource tenant evaluates the user against its CA policies.
+| 4. | Once all CA policies are satisfied, the resource tenant issues a token and redirects the user to its resource. |
+
+>[!NOTE]
+>If the user is from an external resource tenant, it is not possible for the B2B guest userΓÇÖs IdP CA policies to also be evaluated. As of today, only the resource tenantΓÇÖs CA policies apply to its guests.
+
+## Azure AD Multi-Factor Authentication for B2B users
+
+Organizations can enforce multiple Azure AD Multi-Factor Authentication policies for their B2B guest users. These policies can be enforced at the tenant, app, or individual user level in the same way that they're enabled for full-time employees and members of the organization.
+The resource tenant is always responsible for Azure AD Multi-Factor Authentication for users, even if the guest userΓÇÖs organization has Multi-Factor Authentication capabilities. Here's an example-
+
+1. An admin or information worker in a company named Fabrikam invites user from another company named Contoso to use their application Woodgrove.
+
+2. The Woodgrove app in Fabrikam is configured to require Azure AD Multi-Factor Authentication on access.
+
+3. When the B2B guest user from Contoso attempts to access Woodgrove in the Fabrikam tenant, they're asked to complete the Azure AD Multi-Factor Authentication challenge.
+
+4. The guest user can then set up their Azure AD Multi-Factor Authentication with Fabrikam and select the options.
+
+5. This scenario works for any identity ΓÇô Azure AD or Personal Microsoft Account (MSA). For example, if user in Contoso authenticates using social ID.
+
+6. Fabrikam must have sufficient premium Azure AD licenses that support Azure AD Multi-Factor Authentication. The user from Contoso then consumes this license from Fabrikam. See [billing model for Azure AD external identities](https://docs.microsoft.com/azure/active-directory/external-identities/external-identities-pricing) for information on the B2B licensing.
+
+>[!NOTE]
+>Azure AD Multi-Factor Authentication is done at resource tenancy to ensure predictability.
+
+### Set up Azure AD Multi-Factor Authentication for B2B users
+
+To set up Azure AD Multi-Factor Authentication for B2B collaboration users, watch this video:
>[!VIDEO https://channel9.msdn.com/Blogs/Azure/b2b-conditional-access-setup/Player]
-### B2B users MFA experience for offer redemption
-Check out the following animation to see the redemption experience:
+### B2B users Azure AD Multi-Factor Authentication for offer redemption
+
+To learn more about the Azure AD Multi-Factor Authentication redemption experience, watch this video:
>[!VIDEO https://channel9.msdn.com/Blogs/Azure/MFA-redemption/Player]
-### MFA reset for B2B collaboration users
-Currently, the admin can require B2B collaboration users to proof up again only by using the following PowerShell cmdlets:
+### Azure AD Multi-Factor Authentication reset for B2B users
+
+Now, the following PowerShell cmdlets are available to proof up B2B guest users:
1. Connect to Azure AD
@@ -61,52 +102,57 @@ Currently, the admin can require B2B collaboration users to proof up again only
Get-MsolUser | where { $_.StrongAuthenticationMethods} | select UserPrincipalName, @{n="Methods";e={($_.StrongAuthenticationMethods).MethodType}} ```
-3. Reset the MFA method for a specific user to require the B2B collaboration user to set proof-up methods again. Example:
+3. Reset the Azure AD Multi-Factor Authentication method for a specific user to require the B2B collaboration user to set proof-up methods again.
+ Here is an example:
``` Reset-MsolStrongAuthenticationMethodByUpn -UserPrincipalName gsamoogle_gmail.com#EXT#@ WoodGroveAzureAD.onmicrosoft.com ```
-### Why do we perform MFA at the resource tenancy?
+## Conditional Access for B2B users
-In the current release, MFA is always in the resource tenancy, for reasons of predictability. For example, letΓÇÖs say a Contoso user (Sally) is invited to Fabrikam and Fabrikam has enabled MFA for B2B users.
+There are various factors that influence CA policies for B2B guest users.
-If Contoso has MFA policy enabled for App1 but not App2, then if we look at the Contoso MFA claim in the token, we might see the following issue:
+### Device-based Conditional Access
-* Day 1: A user has MFA in Contoso and is accessing App1, then no additional MFA prompt is shown in Fabrikam.
+In CA, there's an option to require a userΓÇÖs [device to be Compliant or Hybrid Azure AD joined](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-conditions#device-state-preview). B2B guest users can only satisfy compliance if the resource tenant can manage their device. Devices cannot be managed by more than one organization at a time. B2B guest users can't satisfy the Hybrid Azure AD join because they don't have an on-premises AD account. Only if the guest userΓÇÖs device is unmanaged, they can register or enroll their device in the resource tenant and then make the device compliant. The user can then satisfy the grant control.
-* Day 2: The user has accessed App 2 in Contoso, so now when accessing Fabrikam, they must register for MFA there.
+>[!Note]
+>It is not recommended to require a managed device for external users.
-This process can be confusing and could lead to drop in sign-in completions.
+### Mobile application management policies
-Moreover, even if Contoso has MFA capability, it is not always the case the Fabrikam would trust the Contoso MFA policy.
+The CA grant controls such as **Require approved client apps** and **Require app protection policies** need the device to be registered in the tenant. These controls can only be applied to [iOS and Android devices](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-conditions#device-platforms). However, neither of these controls can be applied to B2B guest users if the userΓÇÖs device is already being managed by another organization. A mobile device cannot be registered in more than one tenant at a time. If the mobile device is managed by another organization, the user will be blocked. Only if the guest userΓÇÖs device is unmanaged, they can register their device in the resource tenant. The user can then satisfy the grant control.
-Finally, resource tenant MFA also works for MSAs and social IDs and for partner orgs that do not have MFA set up.
+>[!NOTE]
+>It is not recommended to require an app protection policy for external users.
-Therefore, the recommendation for MFA for B2B users is to always require MFA in the inviting tenant. This requirement could lead to double MFA in some cases, but whenever accessing the inviting tenant, the end-users experience is predictable: Sally must register for MFA with the inviting tenant.
+### Location-based Conditional Access
-### Device-based, location-based, and risk-based Conditional Access for B2B users
+The [location-based policy](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-conditions#locations) based on IP ranges can be enforced if the inviting organization can create a trusted IP address range that defines their partner organizations.
-When Contoso enables device-based Conditional Access policies for their corporate data, access is prevented from devices that are not managed by Contoso and not compliant with the Contoso device policies.
+Policies can also be enforced based on **geographical locations**.
-If the B2B userΓÇÖs device isn't managed by Contoso, access of B2B users from the partner organizations is blocked in whatever context these policies are enforced. However, Contoso can create exclusion lists containing specific partner users to exclude them from the device-based Conditional Access policy.
+### Risk-based Conditional Access
-#### Mobile application management policies for B2B
+The [Sign-in risk policy](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-conditions#sign-in-risk) is enforced if the B2B guest user satisfies the grant control. For example, an organization could require Azure AD Multi-Factor Authentication for medium or high sign-in risk. However, if a user hasn't previously registered for Azure AD Multi-Factor Authentication in the resource tenant, the user will be blocked. This is done to prevent malicious users from registering their own Azure AD Multi-Factor Authentication credentials in the event they compromise a legitimate userΓÇÖs password.
-Conditional Access app protection policies cannot be applied to B2B users because the inviting organization has no visibility into the B2B user's home organization.
+The [User-risk policy](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-conditions#user-risk) however cannot be resolved in the resource tenant. For example, if you require a password change for high-risk guest users, they'll be blocked because of the inability to reset passwords in the resource directory.
-#### Location-based Conditional Access for B2B
+### Conditional Access client apps condition
-Location-based Conditional Access policies can be enforced for B2B users if the inviting organization is able to create a trusted IP address range that defines their partner organizations.
+[Client apps conditions](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-conditions#client-apps) behave the same for B2B guest users as they do for any other type of user. For example, you could prevent guest users from using legacy authentication protocols.
-#### Risk-based Conditional Access for B2B
+### Conditional Access session controls
-Currently, risk-based sign-in policies cannot be applied to B2B users because the risk evaluation is performed at the B2B userΓÇÖs home organization.
+[Session controls](https://docs.microsoft.com/azure/active-directory/conditional-access/concept-conditional-access-session) behave the same for B2B guest users as they do for any other type of user.
## Next steps
-See the following articles on Azure AD B2B collaboration:
+For more information, see the following articles on Azure AD B2B collaboration:
+
+- [What is Azure AD B2B collaboration?](https://docs.microsoft.com/azure/active-directory/external-identities/what-is-b2b)
+- [Identity Protection and B2B users](https://docs.microsoft.com/azure/active-directory/identity-protection/concept-identity-protection-b2b)
+- [External Identities pricing](https://azure.microsoft.com/pricing/details/active-directory/)
+- [Frequently Asked Questions (FAQs)](https://docs.microsoft.com/azure/active-directory/external-identities/faq)
-* [What is Azure AD B2B collaboration?](what-is-b2b.md)
-* [External Identities pricing](external-identities-pricing.md)
-* [Azure Active Directory B2B collaboration frequently asked questions (FAQ)](faq.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-graph-api https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/identity-protection/howto-identity-protection-graph-api.md a/articles/active-directory/identity-protection/howto-identity-protection-graph-api.md
@@ -1,12 +1,12 @@
Title: Microsoft Graph API for Azure Active Directory Identity Protection
+ Title: Microsoft Graph PowerShell SDK and Azure Active Directory Identity Protection
description: Learn how to query Microsoft Graph risk detections and associated information from Azure Active Directory Previously updated : 10/06/2020 Last updated : 01/25/2021
@@ -15,30 +15,28 @@
-# Get started with Azure Active Directory Identity Protection and Microsoft Graph
+# Azure Active Directory Identity Protection and the Microsoft Graph PowerShell SDK
-Microsoft Graph is the Microsoft unified API endpoint and the home of [Azure Active Directory Identity Protection](./overview-identity-protection.md) APIs. There are three APIs that expose information about risky users and sign-ins. The first API, **riskDetection**, allows you to query Microsoft Graph for a list of both user and sign-in linked risk detections and associated information about the detection. The second API, **riskyUsers**, allows you to query Microsoft Graph for information about users Identity Protection detected as risk. The third API, **signIn**, allows you to query Microsoft Graph for information on Azure AD sign-ins with specific properties related to risk state, detail, and level.
+Microsoft Graph is the Microsoft unified API endpoint and the home of [Azure Active Directory Identity Protection](./overview-identity-protection.md) APIs. This article will show you how to use the [Microsoft Graph PowerShell SDK](/graph/powershell/get-started) to get risky user details using PowerShell. Organizations that want to query the Microsoft Graph APIs directly can use the article, [Tutorial: Identify and remediate risks using Microsoft Graph APIs](/graph/tutorial-riskdetection-api) to begin that journey.
-This article gets you started with connecting to the Microsoft Graph and querying these APIs. For an in-depth introduction, full documentation, and access to the Graph Explorer, see the [Microsoft Graph site](https://graph.microsoft.io/) or the specific reference documentation for these APIs:
-* [riskDetection API](/graph/api/resources/riskdetection?view=graph-rest-v1.0)
-* [riskyUsers API](/graph/api/resources/riskyuser?view=graph-rest-v1.0)
-* [signIn API](/graph/api/resources/signin?view=graph-rest-v1.0)
-
-## Connect to Microsoft graph
+## Connect to Microsoft Graph
There are four steps to accessing Identity Protection data through Microsoft Graph: -- [Retrieve your domain name](#retrieve-your-domain-name)
+- [Create a certificate](#create-a-certificate)
- [Create a new app registration](#create-a-new-app-registration) - [Configure API permissions](#configure-api-permissions) - [Configure a valid credential](#configure-a-valid-credential)
-### Retrieve your domain name
+### Create a certificate
+
+In a production environment you would use a certificate from your production Certificate Authority, but in this sample we will use a self-signed certificate. Create and export the certificate using the following PowerShell commands.
-1. Sign in to the [Azure portal](https://portal.azure.com).
-1. Browse to **Azure Active Directory** > **Custom domain names**.
-1. Take note of the `.onmicrosoft.com` domain, you will need this information in a later step.
+```powershell
+$cert = New-SelfSignedCertificate -Subject "CN=MSGraph_ReportingAPI" -CertStoreLocation "Cert:\CurrentUser\My" -KeyExportPolicy Exportable -KeySpec Signature -KeyLength 2048 -KeyAlgorithm RSA -HashAlgorithm SHA256
+Export-Certificate -Cert $cert -FilePath "C:\Reporting\MSGraph_ReportingAPI.cer"
+```
### Create a new app registration
@@ -48,10 +46,12 @@ There are four steps to accessing Identity Protection data through Microsoft Gra
1. In the **Name** textbox, type a name for your application (for example: Azure AD Risk Detection API). 1. Under **Supported account types**, select the type of accounts that will use the APIs. 1. Select **Register**.
-1. Copy the **Application ID**.
+1. Take note of the **Application (client) ID** and **Directory (tenant) ID** as you will need these items later.
### Configure API permissions
+In this example, we configure application permissions allowing this sample to be used unattended. If granting permissions to a user who will be logged on, choose delegated permissions instead. More information about different permission types can be found in the article, [Permissions and consent in the Microsoft identity platform](../develop/v2-permissions-and-consent.md#permission-types).
+ 1. From the **Application** you created, select **API permissions**. 1. On the **Configured permissions** page, in the toolbar on the top, click **Add a permission**. 1. On the **Add API access** page, click **Select an API**.
@@ -65,109 +65,34 @@ There are four steps to accessing Identity Protection data through Microsoft Gra
### Configure a valid credential 1. From the **Application** you created, select **Certificates & secrets**.
-1. Under **Client secrets**, select **New client secret**.
- 1. Give the client secret a **Description** and set the expiration time period according to your organizational policies.
+1. Under **certificates**, select **Upload certificate**.
+ 1. Select the previously exported certificate from the window that opens.
1. Select **Add**.
+1. Take note of the **Thumbprint** of the certificate as you will need this information in the next step.
- > [!NOTE]
- > If you lose this key, you will have to return to this section and create a new key. Keep this key a secret: anyone who has it can access your data.
-
-## Authenticate to Microsoft Graph and query the Identity Risk Detections API
-
-At this point, you should have:
--- The name of your tenant's domain-- The Application (client) ID -- The client secret or certificate -
-To authenticate, send a post request to `https://login.microsoft.com` with the following parameters in the body:
--- grant_type: ΓÇ£**client_credentials**ΓÇ¥-- resource: `https://graph.microsoft.com`-- client_id: \<your client ID\>-- client_secret: \<your key\>-
-If successful, this request returns an authentication token.
-To call the API, create a header with the following parameter:
-
-```
-`Authorization`="<token_type> <access_token>"
-```
-
-When authenticating, you can find the token type and access token in the returned token.
-
-Send this header as a request to the following API URL: `https://graph.microsoft.com/v1.0/identityProtection/riskDetections`
-
-The response, if successful, is a collection of identity risk detections and associated data in the OData JSON format, which can be parsed and handled as you see fit.
-
-### Sample
-
-This sample shows the use of a shared secret to authenticate. In a production environment storing secrets in code is generally frowned upon. Organizations can make use of managed identities for Azure resources to secure these credentials. For more information about managed identities see the article, [What are managed identities for Azure resources](../managed-identities-azure-resources/overview.md).
-
-HereΓÇÖs sample code for authenticating and calling the API using PowerShell.
-Just add your client ID, the secret key, and the tenant domain.
-
-```PowerShell
- $ClientID = "<your client ID here>" # Should be a ~36 hex character string; insert your info here
- $ClientSecret = "<your client secret here>" # Should be a ~44 character string; insert your info here
- $tenantdomain = "<your tenant domain here>" # For example, contoso.onmicrosoft.com
+## List risky users using PowerShell
- $loginURL = "https://login.microsoft.com"
- $resource = "https://graph.microsoft.com"
+To enable the ability to query Microsoft Graph, we need to install the `Microsoft.Graph` module in our PowerShell window, using the `Install-Module Microsoft.Graph` command.
- $body = @{grant_type="client_credentials";resource=$resource;client_id=$ClientID;client_secret=$ClientSecret}
- $oauth = Invoke-RestMethod -Method Post -Uri $loginURL/$tenantdomain/oauth2/token?api-version=1.0 -Body $body
+Modify the following variables to include the information generated in the previous steps, then run them as a whole to get risky user details using PowerShell.
- Write-Output $oauth
+```powershell
+$ClientID = "<your client ID here>" # Application (client) ID gathered when creating the app registration
+$tenantdomain = "<your tenant domain here>" # Directory (tenant) ID gathered when creating the app registration
+$Thumbprint = "<your client secret here>" # Certificate thumbprint gathered when configuring your credential
- if ($oauth.access_token -ne $null) {
- $headerParams = @{'Authorization'="$($oauth.token_type) $($oauth.access_token)"}
+Select-MgProfile -Name "beta"
+
+Connect-MgGraph -ClientId $ClientID -TenantId $tenantdomain -CertificateThumbprint $Thumbprint
- $url = "https://graph.microsoft.com/v1.0/identityProtection/riskDetections"
- Write-Output $url
-
- $myReport = (Invoke-WebRequest -UseBasicParsing -Headers $headerParams -Uri $url)
-
- foreach ($event in ($myReport.Content | ConvertFrom-Json).value) {
- Write-Output $event
- }
-
- } else {
- Write-Host "ERROR: No Access Token"
- }
-```
-
-## Query the APIs
-
-These three APIs provide a multitude of opportunities to retrieve information about risky users and sign-ins in your organization. Below are some common use cases for these APIs and the associated sample requests. You can run these queries using the sample code above or by using [Graph Explorer](https://developer.microsoft.com/graph/graph-explorer).
-
-### Get all of the offline risk detections (riskDetection API)
-
-With Identity Protection sign-in risk policies, you can apply conditions when risk is detected in real time. But what about detections that are discovered offline? To understand what detections occurred offline, and thus would not have triggered the sign-in risk policy, you can query the riskDetection API.
-
-```
-GET https://graph.microsoft.com/v1.0/identityProtection/riskDetections?$filter=detectionTimingType eq 'offline'
-```
-
-### Get all of the users who successfully passed an MFA challenge triggered by risky sign-ins policy (riskyUsers API)
-
-To understand the impact Identity Protection risk-based policies have on your organization, you can query all of the users who successfully passed an MFA challenge triggered by a risky sign-ins policy. This information can help you understand which users Identity Protection may have falsely detected at as risk and which of your legitimate users may be performing actions that the AI deems risky.
-
-```
-GET https://graph.microsoft.com/v1.0/identityProtection/riskyUsers?$filter=riskDetail eq 'userPassedMFADrivenByRiskBasedPolicy'
+Get-MgRiskyUser -All
``` ## Next steps
-Congratulations, you just made your first call to Microsoft Graph!
-Now you can query identity risk detections and use the data however you see fit.
-
-To learn more about Microsoft Graph and how to build applications using the Graph API, check out the [documentation](/graph/overview) and much more on the [Microsoft Graph site](https://developer.microsoft.com/graph).
-
-For related information, see:
--- [Azure Active Directory Identity Protection](./overview-identity-protection.md)-- [Types of risk detections detected by Azure Active Directory Identity Protection](./overview-identity-protection.md)-- [Microsoft Graph](https://developer.microsoft.com/graph/)
+- [Get started with the Microsoft Graph PowerShell SDK](/graph/powershell/get-started)
+- [Tutorial: Identify and remediate risks using Microsoft Graph APIs](/graph/tutorial-riskdetection-api)
- [Overview of Microsoft Graph](https://developer.microsoft.com/graph/docs)
+- [Get access without a user](/graph/auth-v2-service)
- [Azure AD Identity Protection Service Root](/graph/api/resources/identityprotectionroot)
+- [Azure Active Directory Identity Protection](./overview-identity-protection.md)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-remediate-unblock https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/identity-protection/howto-identity-protection-remediate-unblock.md a/articles/active-directory/identity-protection/howto-identity-protection-remediate-unblock.md
@@ -6,7 +6,7 @@
Previously updated : 10/06/2020 Last updated : 01/25/2021
@@ -88,7 +88,9 @@ To unblock an account based on sign-in risk, administrators have the following o
## PowerShell preview
-Using the Microsoft Graph PowerShell SDK Preview module, organizations can manage risk using PowerShell. The preview modules and sample code can be found in the [Azure AD GitHub repo](https://github.com/AzureAD/IdentityProtectionTools).
+Using the Microsoft Graph PowerShell SDK Preview module, organizations can manage risk using PowerShell. The preview modules and sample code can be found in the [Azure AD GitHub repo](https://github.com/AzureAD/IdentityProtectionTools).
+
+The `Invoke-AzureADIPDismissRiskyUser.ps1` script included in the repo allows organizations to dismiss all risky users in their directory.
## Next steps
active-directory https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/managed-identities-azure-resources/services-support-managed-identities.md a/articles/active-directory/managed-identities-azure-resources/services-support-managed-identities.md
@@ -154,8 +154,6 @@ Refer to the following list to configure managed identity for Azure Data Factory
- [REST](~/articles/data-factory/data-factory-service-identity.md#generate-managed-identity-using-rest-api) - [SDK](~/articles/data-factory/data-factory-service-identity.md#generate-managed-identity-using-sdk) -- ### Azure Event Grid Managed identity type |All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |
@@ -163,13 +161,12 @@ Managed identity type |All Generally Available<br>Global Azure Regions | Azure G
| System assigned | Preview | Preview | Not available | Preview | | User assigned | Not available | Not available | Not available | Not available |
+### Azure Firewall Policy
------
+Managed identity type |All Generally Available<br>Global Azure Regions | Azure Government | Azure Germany | Azure China 21Vianet |
+| | :-: | :-: | :-: | :-: |
+| System assigned | Not available | Not available | Not available | Not available |
+| User assigned | Preview | Not available | Not available | Not available |
### Azure Functions
active-directory https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/roles/permissions-reference.md a/articles/active-directory/roles/permissions-reference.md
@@ -424,7 +424,7 @@ Users with this role can manage alerts and have global read-only access on secur
In | Can do | [Microsoft 365 security center](https://protection.office.com) | All permissions of the Security Reader role<br>View, investigate, and respond to security threats alerts
-Identity Protection Center | All permissions of the Security Reader role<br>Additionally, the ability to perform all Identity Protection Center operations except for resetting passwords
+Azure AD Identity Protection | All permissions of the Security Reader role<br>Additionally, the ability to perform all Identity Protection Center operations except for resetting passwords and configuring alert e-mails.
[Privileged Identity Management](../privileged-identity-management/pim-configure.md) | All permissions of the Security Reader role [Office 365 Security & Compliance Center](https://support.office.com/article/About-Office-365-admin-roles-da585eea-f576-4f55-a1e0-87090b6aaa9d) | All permissions of the Security Reader role<br>View, investigate, and respond to security alerts Windows Defender ATP and EDR | All permissions of the Security Reader role<br>View, investigate, and respond to security alerts
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/advance-kerbf5-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/advance-kerbf5-tutorial.md a/articles/active-directory/saas-apps/advance-kerbf5-tutorial.md
@@ -334,4 +334,10 @@ When you click the F5 tile in the Access Panel, you should be automatically sign
- [Configure F5 single sign-on for Header Based application](headerf5-tutorial.md) -- [Configure F5 single sign-on for Kerberos application](kerbf5-tutorial.md)\ No newline at end of file
+- [Configure F5 single sign-on for Kerberos application](kerbf5-tutorial.md)
+
+- [F5 BIG-IP APM and Azure AD integration for secure hybrid access](https://docs.microsoft.com/azure/active-directory/manage-apps/f5-aad-integration)
+
+- [Tutorial to deploy F5 BIG-IP Virtual Edition VM in Azure IaaS for secure hybrid access](https://docs.microsoft.com/azure/active-directory/manage-apps/f5-bigip-deployment-guide)
+
+- [Tutorial for Azure Active Directory single sign-on integration with F5 BIG-IP for Password-less VPN](https://docs.microsoft.com/azure/active-directory/manage-apps/f5-aad-password-less-vpn)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/box-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/box-tutorial.md a/articles/active-directory/saas-apps/box-tutorial.md
@@ -9,7 +9,7 @@
Previously updated : 01/05/2021 Last updated : 01/21/2021
@@ -90,6 +90,11 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
> [!NOTE] > The Sign-on URL value is not real. Update the value with the actual Sign-On URL. Contact [Box Client support team](https://community.box.com/t5/custom/page/page-id/submit_sso_questionaire) to get the value. You can also refer to the patterns shown in the **Basic SAML Configuration** section in the Azure portal.
+1. Your Box application expects the SAML assertions in a specific format, which requires you to add custom attribute mappings to your SAML token attributes configuration. The following screenshot shows an example for this. The default value of **Unique User Identifier** is **user.userprincipalname** but Box expects this to be mapped with the user's email address. For that you can use **user.mail** attribute from the list or use the appropriate attribute value based on your organization configuration.
+
+ ![image](common/default-attributes.png)
++ 1. On the **Set up single sign-on with SAML** page, in the **SAML Signing Certificate** section, find **Federation Metadata XML** and select **Download** to download the certificate and save it on your computer. ![The Certificate download link](common/metadataxml.png)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/bynder-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/bynder-tutorial.md a/articles/active-directory/saas-apps/bynder-tutorial.md
@@ -78,7 +78,7 @@ Follow these steps to enable Azure AD SSO in the Azure portal.
`https://<company name>.getbynder.com` For a Custom Domain:
- `https;//<subdomain>.<domain>.com`
+ `https://<subdomain>.<domain>.com`
b. In the **Reply URL** text box, type a URL using the following pattern:
@@ -164,4 +164,4 @@ You can also use Microsoft My Apps to test the application in any mode. When you
## Next steps
-Once you configure Bynder you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
\ No newline at end of file
+Once you configure Bynder you can enforce session control, which protects exfiltration and infiltration of your organizationΓÇÖs sensitive data in real time. Session control extends from Conditional Access. [Learn how to enforce session control with Microsoft Cloud App Security](/cloud-app-security/proxy-deployment-any-app).
active-directory https://docs.microsoft.com/en-us/azure/active-directory/saas-apps/headerf5-tutorial https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/saas-apps/headerf5-tutorial.md a/articles/active-directory/saas-apps/headerf5-tutorial.md
@@ -477,4 +477,10 @@ When you click the F5 tile in the Access Panel, you should be automatically sign
- [Configure F5 single sign-on for Kerberos application](kerbf5-tutorial.md) -- [Configure F5 single sign-on for Advanced Kerberos application](advance-kerbf5-tutorial.md)\ No newline at end of file
+- [Configure F5 single sign-on for Advanced Kerberos application](advance-kerbf5-tutorial.md)
+
+- [F5 BIG-IP APM and Azure AD integration for secure hybrid access](https://docs.microsoft.com/azure/active-directory/manage-apps/f5-aad-integration)
+
+- [Tutorial to deploy F5 BIG-IP Virtual Edition VM in Azure IaaS for secure hybrid access](https://docs.microsoft.com/azure/active-directory/manage-apps/f5-bigip-deployment-guide)
+
+- [Tutorial for Azure Active Directory single sign-on integration with F5 BIG-IP for Password-less VPN](https://docs.microsoft.com/azure/active-directory/manage-apps/f5-aad-password-less-vpn)
active-directory https://docs.microsoft.com/en-us/azure/active-directory/user-help/user-help-auth-app-faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/active-directory/user-help/user-help-auth-app-faq.md a/articles/active-directory/user-help/user-help-auth-app-faq.md
@@ -29,12 +29,6 @@ The Microsoft Authenticator app replaced the Azure Authenticator app, and it's t
**A**: Registering a device gives your device access to your organization's services and doesn't allow your organization access to your device.
-### Too many app permissions
-
-**Q**: Why does the app request so many permissions?
-
-**A**: Here's the full list of permissions that might be asked for, and how they're used by the app. The specific permissions you see will depend on the type of phone you have. Sometimes your organization wants to know your **Location** before allowing you to access certain resources. The app will request this permission only if your organization has a policy requiring location.
- ### Error adding account **Q**: When I try to add my account, I get an error message saying ΓÇ£The account you're trying to add is not valid at this time. Contact your admin to fix this issue (uniqueness validation).ΓÇ¥ What should I do?
@@ -140,7 +134,7 @@ The Microsoft Authenticator app replaced the Azure Authenticator app, and it's t
**Q**: Why does the app request so many permissions?
-**A**: Here's the full list of permissions that might be asked for, and how they're used by the app. The specific permissions you see will depend on the type of phone you have.<ul><li>**Use biometric hardware.** Some work and school accounts require an additional PIN whenever you verify your identity. The app requires your consent to use biometric or facial recognition instead of entering the PIN.</li><li>**Camera.** Used to scan QR codes when you add a work, school, or non-Microsoft account.</li><li>**Contacts and phone.** The app requires this permission to search for work or school Microsoft accounts on your phone and add them to the app for you.</li><li>**SMS.** Used to make sure your phone number matches the number on record when you sign in with your personal Microsoft account for the first time. We send a text message to the phone on which you installed the app that includes a 6-8 digit verification code. You don't need to find this code and enter it because Authenticator finds it automatically in the text message.</li><li>**Draw over other apps.** The notification you get that verifies your identity is also displayed on any other running app.</li><li>**Receive data from the internet.** This permission is required for sending notifications.</li><li>**Prevent phone from sleeping.** If you register your device with your organization, your organization can change this policy on your phone.</li><li>**Control vibration.** You can choose whether you would like a vibration whenever you receive a notification to verify your identity.</li><li>**Use fingerprint hardware.** Some work and school accounts require an additional PIN whenever you verify your identity. To make the process easier, we allow you to use your fingerprint instead of entering the PIN.</li><li> **View network connections.** When you add a Microsoft account, the app requires network/internet connection.</li><li>**Read the contents of your storage**. This permission is only used when you report a technical problem through the app settings. Some information from your storage is collected to diagnose the issue.</li><li>**Full network access.** This permission is required for sending notifications to verify your identity.</li><li>**Run at startup.** If you restart your phone, this permission ensures that you continue you receive notifications to verify your identity.</li></ul>
+**A**: Here's the full list of permissions that might be asked for, and how they're used by the app. The specific permissions you see will depend on the type of phone you have.<ul><li>**Location**. Sometimes your organization wants to know your location before allowing you to access certain resources. The app will request this permission only if your organization has a policy requiring location.</li><li>**Use biometric hardware.** Some work and school accounts require an additional PIN whenever you verify your identity. The app requires your consent to use biometric or facial recognition instead of entering the PIN.</li><li>**Camera.** Used to scan QR codes when you add a work, school, or non-Microsoft account.</li><li>**Contacts and phone.** The app requires this permission to search for work or school Microsoft accounts on your phone and add them to the app for you.</li><li>**SMS.** Used to make sure your phone number matches the number on record when you sign in with your personal Microsoft account for the first time. We send a text message to the phone on which you installed the app that includes a 6-8 digit verification code. You don't need to find this code and enter it because Authenticator finds it automatically in the text message.</li><li>**Draw over other apps.** The notification you get that verifies your identity is also displayed on any other running app.</li><li>**Receive data from the internet.** This permission is required for sending notifications.</li><li>**Prevent phone from sleeping.** If you register your device with your organization, your organization can change this policy on your phone.</li><li>**Control vibration.** You can choose whether you would like a vibration whenever you receive a notification to verify your identity.</li><li>**Use fingerprint hardware.** Some work and school accounts require an additional PIN whenever you verify your identity. To make the process easier, we allow you to use your fingerprint instead of entering the PIN.</li><li> **View network connections.** When you add a Microsoft account, the app requires network/internet connection.</li><li>**Read the contents of your storage**. This permission is only used when you report a technical problem through the app settings. Some information from your storage is collected to diagnose the issue.</li><li>**Full network access.** This permission is required for sending notifications to verify your identity.</li><li>**Run at startup.** If you restart your phone, this permission ensures that you continue you receive notifications to verify your identity.</li></ul>
### Approve requests without unlocking
aks https://docs.microsoft.com/en-us/azure/aks/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/policy-reference.md a/articles/aks/policy-reference.md
@@ -1,7 +1,7 @@
Title: Built-in policy definitions for Azure Kubernetes Service description: Lists Azure Policy built-in policy definitions for Azure Kubernetes Service. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
aks https://docs.microsoft.com/en-us/azure/aks/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/aks/security-controls-policy.md a/articles/aks/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure Kubernetes Service (AKS) description: Lists Azure Policy Regulatory Compliance controls available for Azure Kubernetes Service (AKS). These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
api-management https://docs.microsoft.com/en-us/azure/api-management/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/api-management/policy-reference.md a/articles/api-management/policy-reference.md
@@ -1,7 +1,7 @@
Title: Built-in policy definitions for Azure API Management description: Lists Azure Policy built-in policy definitions for Azure API Management. These built-in policy definitions provide approaches to managing your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
app-service https://docs.microsoft.com/en-us/azure/app-service/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/policy-reference.md a/articles/app-service/policy-reference.md
@@ -1,7 +1,7 @@
Title: Built-in policy definitions for Azure App Service description: Lists Azure Policy built-in policy definitions for Azure App Service. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
app-service https://docs.microsoft.com/en-us/azure/app-service/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/app-service/security-controls-policy.md a/articles/app-service/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure App Service description: Lists Azure Policy Regulatory Compliance controls available for Azure App Service. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
automation https://docs.microsoft.com/en-us/azure/automation/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/policy-reference.md a/articles/automation/policy-reference.md
@@ -1,7 +1,7 @@
Title: Built-in policy definitions for Azure Automation description: Lists Azure Policy built-in policy definitions for Azure Automation. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
automation https://docs.microsoft.com/en-us/azure/automation/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/automation/security-controls-policy.md a/articles/automation/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure Automation description: Lists Azure Policy Regulatory Compliance controls available for Azure Automation. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
availability-zones https://docs.microsoft.com/en-us/azure/availability-zones/az-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/availability-zones/az-overview.md a/articles/availability-zones/az-overview.md
@@ -81,102 +81,74 @@ If a service offering is not available in a specific region, you can share your
As mentioned previously, Azure classifies services into three categories: foundational, mainstream, and specialized. Service categories are assigned at general availability. Often, services start their lifecycle as a specialized service and as demand and utilization increases may be promoted to mainstream or foundational. The following table lists the category for services as foundational, mainstream, or specialized. You should note the following about the table: - Some services are non-regional. For information and a list of non-regional services, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/).-- Older generation virtual machines are not listed. For more information, see documentation at [Previous generations of virtual machine sizes](../virtual-machines/sizes-previous-gen.md).
+- Older generation virtual machines are not listed. For more information, see documentation at [Previous generations of virtual machine sizes](../virtual-machines/sizes-previous-gen.md)
+- .Services are not assigned a category until General Availability (GA). For information, and a list of preview services, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/).
> [!div class="mx-tableFixed"]
-> | Foundational | Mainstream | Specialized |
-> | | | |
-> | Account Storage | API Management | Azure API for FHIR |
-> | Application Gateway | App Configuration | Azure Analysis Services |
-> | Azure Backup | App Service | Azure Blockchain Service |
-> | Azure Cosmos DB | Automation | Azure Blueprints |
-> | Azure Data Lake Storage Gen2 | Azure Active Directory Domain Services | Azure Database for MariaDB |
-> | Azure ExpressRoute | Azure Bastion | Azure Dedicated HSM |
-> | Azure SQL Database | Azure Cache for Redis | Azure Dev Spaces |
-> | Cloud Services | Azure Cognitive Search | Azure Digital Twins |
-> | Cloud
-> | Cloud
-> | Cloud
-> | Cloud
-> | Cloud
-> | Cloud
-> | Disk Storage | Azure DDoS Protection | Cloud
-> | Event Hubs | Azure DevTest Labs | Cloud
-> | Key Vault | Azure Firewall | Cognitive Services : Custom Vision |
-> | Load balancer | Azure Firewall Manager | Cognitive Services : Speaker Recognition |
-> | Service Bus | Azure Functions | Data Box Heavy |
-> | Service Fabric | Azure HPC Cache | Data Catalog |
-> | Virtual Machine Scale Sets | Azure IoT Hub | Data Factory : Data Factory V1 |
-> | Virtual Machines | Azure Kubernetes Service (AKS) | Data Lake Analytics |
-> | Virtual Machines: Av2-Series | Azure Machine Learning | Azure Machine Learning Studio (classic)|
-> | Virtual Machines: Bs-Series | Azure Private Link | Microsoft Genomics |
-> | Virtual Machines: DSv2-Series | Azure Red Hat OpenShift | Remote Rendering |
-> | Virtual Machines: DSv3-Series | Azure SignalR Service | Spatial Anchors |
-> | Virtual Machines: Dv2-Series | Azure Site Recovery | StorSimple |
-> | Virtual Machines: Dv3-Series | Azure Stack Hub | Video Indexer |
-> | Virtual Machines: ESv3-Series | Azure Stream Analytics | Virtual Machines: DASv4-Series |
-> | Virtual Machines: Ev3-Series | Azure Synapse Analytics | Virtual Machines: DAv4-Series |
-> | Virtual Machines: F-Series | Batch | Virtual Machines: DCsv2-series |
-> | Virtual Machines: FS-Series | Cloud
-> | Virtual Machines: Instance Level IPs | Cognitive Services | Virtual Machines: EAv4-Series |
-> | Virtual Machines: Reserved IP | Cognitive
-> | Virtual Network | Cognitive
-> | VPN Gateway | Cognitive
-> | | Cognitive
-> | | Cognitive
-> | | Cognitive
-> | | Cognitive
-> | | Container Instances | Virtual Machines: LSv2-Series |
-> | | Container Registry | Virtual Machines: Mv2-Series |
-> | | Data Factory | Virtual Machines: NC-Series |
-> | | Event Grid | Virtual Machines: NCv2-Series |
-> | | HDInsight | Virtual Machines: NCv3-Series |
-> | | Logic Apps | Virtual Machines: NDs-Series |
-> | | Media Services | Virtual Machines: NDv2-Series |
-> | | Network Watcher | Virtual Machines: NV-Series |
-> | | Notification Hubs | Virtual Machines: NVv3-Series |
-> | | Power BI Embedded | Virtual Machines: NVv4-Series |
-> | | Premium Blob Storage | Virtual Machines: SAP HANA on Azure Large Instances |
-> | | Premium Files Storage | Visual Studio App Center |
-> | | Storage: Archive Storage | |
-> | | Ultra Disk Storage | |
-> | | Virtual Machines: Ddsv4-Series | |
-> | | Virtual Machines: Ddv4-Series | |
-> | | Virtual Machines: Dsv4-Series | |
-> | | Virtual Machines: Dv4-Series | |
-> | | Virtual Machines: Edsv4-Series | |
-> | | Virtual Machines: Edv4-Series | |
-> | | Virtual Machines: Esv4-Series | |
-> | | Virtual Machines: Ev4-Series | |
-> | | Virtual Machines: Fsv2-Series | |
-> | | Virtual Machines: M-Series | |
-> | | Virtual WAN | |
-
-### Services resiliency
-
-All Azure management services are architected to be resilient from region-level failures. In the spectrum of failures, one or more Availability Zone failures within a region have a smaller failure radius compared to an entire region failure. Azure can recover from a zone-level failure of management services within the region or from another Azure region. Azure performs critical maintenance one zone at a time within a region, to prevent any failures impacting customer resources deployed across Availability Zones within a region.
-
-### Pricing for VMs in Availability Zones
-
-There is no additional cost for virtual machines deployed in an Availability Zone. 99.99% VM uptime SLA is offered when two or more VMs are deployed across two or more Availability Zones within an Azure region. There will be additional inter-Availability Zone VM-to-VM data transfer charges. For more information, review the [Bandwidth pricing](https://azure.microsoft.com/pricing/details/bandwidth/) page.
-
-### Get started with Availability Zones
--- [Create a virtual machine](../virtual-machines/windows/create-portal-availability-zone.md)-- [Add a Managed Disk using PowerShell](../virtual-machines/windows/attach-disk-ps.md#add-an-empty-data-disk-to-a-virtual-machine)-- [Create a zone redundant virtual machine scale set](../virtual-machine-scale-sets/virtual-machine-scale-sets-use-availability-zones.md)-- [Load balance VMs across zones using a Standard Load Balancer with a zone-redundant frontend](../load-balancer/quickstart-load-balancer-standard-public-cli.md)-- [Load balance VMs within a zone using a Standard Load Balancer with a zonal frontend](../load-balancer/quickstart-load-balancer-standard-public-cli.md)-- [Zone-redundant storage](../storage/common/storage-redundancy.md)-- [SQL Database general purpose tier](../azure-sql/database/high-availability-sla.md#general-purpose-service-tier-zone-redundant-availability-preview)-- [Event Hubs geo-disaster recovery](../event-hubs/event-hubs-geo-dr.md#availability-zones)-- [Service Bus geo-disaster recovery](../service-bus-messaging/service-bus-geo-dr.md#availability-zones)-- [Create a zone-redundant virtual network gateway](../vpn-gateway/create-zone-redundant-vnet-gateway.md)-- [Add zone redundant region for Azure Cosmos DB](../cosmos-db/high-availability.md#availability-zone-support)-- [Getting Started Azure Cache for Redis Availability Zones](https://aka.ms/redis/az/getstarted)-- [Create an Azure Active Directory Domain Services instance](../active-directory-domain-services/tutorial-create-instance.md)-- [Create an Azure Kubernetes Service (AKS) cluster that uses Availability Zones](../aks/availability-zones.md)-- [Enable zone redundancy in Azure Container Registry](../container-registry/zone-redundancy.md)
+> | Foundational | Mainstream | Specialized |
+> ||||
+> | Storage Accounts | API Management | Azure API for FHIR |
+> | Application Gateway | App Configuration | Azure Analysis Services |
+> | Azure Backup | App Service | Azure Cognitive
+> | Azure Cosmos DB | Automation | Azure Cognitive
+> | Azure Data Lake Storage Gen2 | Azure Active Directory Domain Services | Azure Cognitive
+> | Azure ExpressRoute | Azure Bastion | Azure Cognitive
+> | Azure Public IP | Azure Cache for Redis | Azure Cognitive
+> | Azure SQL Database | Azure Cognitive Search | Azure Database for MariaDB |
+> | Azure SQL : Managed Instance | Azure Cognitive Services | Azure Database Migration Service |
+> | Cloud Services | Azure Cognitive
+> | Cloud
+> | Cloud
+> | Cloud
+> | Cloud
+> | Cloud
+> | Cloud
+> | Disk Storage | Azure Cognitive
+> | Event Hubs | Azure Data Explorer | Azure Time Series Insights |
+> | Key Vault | Azure Data Share | Azure VMware Solution |
+> | Load balancer | Azure Database for MySQL | Azure VMware Solution by CloudSimple |
+> | Service Bus | Azure Database for PostgreSQL | Cloud
+> | Service Fabric | Azure Databricks | Data Catalog |
+> | Storage: Hot/Cool Blob Storage Tiers | Azure DDoS Protection | Data Lake Analytics |
+> | Storage: Managed Disks | Azure DevTest Labs | Azure Machine Learning Studio (classic) |
+> | Virtual Machine Scale Sets | Azure Firewall | Spatial Anchors |
+> | Virtual Machines | Azure Firewall Manager | Storage: Archive Storage |
+> | Virtual Machines: Av2-Series | Azure Functions | StorSimple |
+> | Virtual Machines: Bs-Series | Azure IoT Hub | Ultra Disk Storage |
+> | Virtual Machines: DSv2-Series | Azure Kubernetes Service (AKS) | Video Indexer |
+> | Virtual Machines: DSv3-Series | Azure Machine Learning | Virtual Machines: DASv4-Series |
+> | Virtual Machines: Dv2-Series | Azure Monitor: Application Insights | Virtual Machines: DAv4-Series |
+> | Virtual Machines: Dv3-Series | Azure Monitor: Log Analytics | Virtual Machines: DCsv2-series |
+> | Virtual Machines: ESv3-Series | Azure Private Link | Virtual Machines: EASv4-Series |
+> | Virtual Machines: Ev3-Series | Azure Red Hat OpenShift | Virtual Machines: EAv4-Series |
+> | Virtual Machines: Instance Level IPs | Azure Site Recovery | Virtual Machines: HBv1-Series |
+> | Virtual Machines: Reserved IP | Azure Stream Analytics | Virtual Machines: HBv2-Series |
+> | Virtual Network | Azure Synapse Analytics | Virtual Machines: HCv1-Series |
+> | VPN Gateway | Batch | Virtual Machines: H-Series |
+> | | Cloud
+> | | Container Instances | Virtual Machines: Mv2-Series |
+> | | Container Registry | Virtual Machines: NCv3-Series |
+> | | Data Factory | Virtual Machines: NDv2-Series |
+> | | Event Grid | Virtual Machines: NVv3-Series |
+> | | HDInsight | Virtual Machines: NVv4-Series |>
+> | | Logic Apps | Virtual Machines: SAP HANA on Azure Large Instances |
+> | | Media Services | |
+> | | Network Watcher | |
+> | | Notification Hubs | |
+> | | Premium Blob Storage | |
+> | | Premium Files Storage | |
+> | | Virtual Machines: Ddsv4-Series | |
+> | | Virtual Machines: Ddv4-Series | |
+> | | Virtual Machines: Dsv4-Series | |
+> | | Virtual Machines: Dv4-Series | |
+> | | Virtual Machines: Edsv4-Series | |
+> | | Virtual Machines: Edv4-Series | |
+> | | Virtual Machines: Esv4-Series | |
+> | | Virtual Machines: Ev4-Series | |
+> | | Virtual Machines: Fsv2-Series | |
+> | | Virtual Machines: M-Series | |
+> | | Virtual WAN | |
+ ## Next steps
availability-zones https://docs.microsoft.com/en-us/azure/availability-zones/az-region https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/availability-zones/az-region.md a/articles/availability-zones/az-region.md
@@ -11,11 +11,9 @@
# Azure Services that support Availability Zones
-Availability Zones is a high availability offering that protects your applications and data from datacenter failures. For the list of existing and upcoming regions that support Availability Zones, see [Regions and Availability Zones in Azure](az-overview.md).
+Microsoft Azure global infrastructure is designed and constructed at every layer to deliver the highest levels of redundancy and resiliency to its customers. Azure infrastructure is composed of geographies, regions, and Availability Zones, which limit the blast radius of a failure and therefore limit potential impact to customer applications and data. The Azure Availability Zones construct was developed to provide a software and networking solution to protect against datacenter failures and to provide increased high availability (HA) to our customers.
-This section lists the Azure services that support Availability Zones.
-
-Services that are available in each region, along with the upcoming roadmap for availability, can be found at [Products available by region](https://azure.microsoft.com/global-infrastructure/services/).
+Availability Zones are unique physical locations within an Azure region. Each zone is made up of one or more datacenters with independent power, cooling, and networking. The physical separation of Availability Zones within a region limits the impact to applications and data from zone failures, such as large-scale flooding, major storms and superstorms, and other events that could disrupt site access, safe passage, extended utilities uptime, and the availability of resources. Availability Zones and their associated datacenters are designed such that if one zone is compromised, the services, capacity, and availability are supported by the other Availability Zones in the region.
All Azure management services are architected to be resilient from region-level failures. In the spectrum of failures, one or more Availability Zone failures within a region have a smaller failure radius compared to an entire region failure. Azure can recover from a zone-level failure of management services within a region. Azure performs critical maintenance one zone at a time within a region, to prevent any failures impacting customer resources deployed across Availability Zones within a region.
@@ -29,165 +27,143 @@ Azure services supporting Availability Zones fall into three categories: **zonal
- **Zone-redundant services** ΓÇô Azure platform replicates the resource and data across zones. Microsoft manages the delivery of high availability since Azure automatically replicates and distributes instances within the region. ZRS, for example, replicates the data across three zones so that a zone failure does not impact the HA of the data. -- **Non-regional services** ΓÇô Services that do not have dependency on a specific Azure region, making them resilient to zone-wide outages as well as region-wide outages.
+- **Non-regional services** ΓÇô Services are always available from Azure geographies and are resilient to zone-wide outages as well as region-wide outages.
To achieve comprehensive business continuity on Azure, build your application architecture using the combination of Availability Zones with Azure region pairs. You can synchronously replicate your applications and data using Availability Zones within an Azure region for high-availability and asynchronously replicate across Azure regions for disaster recovery protection. To learn more, read [building solutions for high availability using Availability Zones](/azure/architecture/high-availability/building-solutions-for-high-availability).
+## Azure services supporting Availability Zones
+
+ - The older generation virtual machines are not listed. For more information, see [Previous generations of virtual machine sizes](../virtual-machines/sizes-previous-gen.md).
+ - As mentioned in the [Regions and Availability Zones in Azure](az-overview.md), some services are non-regional. These services do not have dependency on a specific Azure region, as such are resilient to zone-wide outages as well as region-wide outages. The list of non-regional services can be found at [Products available by region](https://azure.microsoft.com/global-infrastructure/services/).
++
+## Azure regions with Availability Zones
+
-### Azure Services supporting Availability Zones
+| Americas | Europe | Germany | Africa | Asia Pacific |
+|--|-|-||-|
+| | | | | |
+| Canada Central | France Central | Germany West Central | South Africa North* | Japan East |
+| Central US | North Europe | | | Southeast Asia |
+| East US | UK South | | | Australia East |
+| East US 2 | West Europe | | | |
+| South Central US | | | | |
+| US Gov Virginia* | | | | |
+| West US 2 | | | | |
++
+To learn more about Availability Zones and available services support in these regions, contact your Microsoft sales or customer representative. For the upcoming regions that will support Availability Zones, see [Azure geographies](https://azure.microsoft.com/en-us/global-infrastructure/geographies/).
++
+## Azure Services supporting Availability Zones
- Older generation virtual machines are not listed below. For more information, see [previous generations of virtual machine sizes](../virtual-machines/sizes-previous-gen.md). - Some services are non-regional, see [Regions and Availability Zones in Azure](az-overview.md) for more information. These services do not have dependency on a specific Azure region, making them resilient to zone-wide outages and region-wide outages. The list of non-regional services can be found at [Products available by region](https://azure.microsoft.com/global-infrastructure/services/). -
-## Americas
-
-| **Products** | **Central US** | **East US** | **East US 2** | **West US 2** | **Canada Central** |
-|--|--|--|--|--|--|
-| **Compute** | | | | | |
-| [App Service Environments (ILB)](../app-service/environment/zone-redundancy.md#how-to-deploy-an-app-service-environment-in-an-availability-zone) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Service Fabric](../service-fabric/service-fabric-cross-availability-zones.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Virtual Machines Scale Sets](../virtual-machine-scale-sets/virtual-machine-scale-sets-use-availability-zones.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| **Containers** | | | |
-| [Azure Kubernetes Service (AKS)](../aks/availability-zones.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Container Registry](../container-registry/zone-redundancy.md) | | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
-| **Storage** | | | | | |
-| [Azure Data Lake Storage Gen2](../storage/common/storage-account-create.md?tabs=azure-portal) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Premium Files Storage](../storage/files/storage-files-planning.md) | | :heavy_check_mark: | | :heavy_check_mark: | :heavy_check_mark: |
-| [Blob Storage](../storage/blobs/storage-blobs-introduction.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Managed Disks](https://azure.microsoft.com/en-gb/updates/azure-managed-snapshots-images-ga/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| **Networking** | | | | | |
-| [Application Gateway V2](../application-gateway/application-gateway-autoscaling-zone-redundant.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Azure Express Route](../expressroute/designing-for-high-availability-with-expressroute.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Azure Firewall](../firewall/deploy-availability-zone-powershell.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Standard IP Address](../virtual-network/public-ip-addresses.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Load Balancer](../load-balancer/load-balancer-standard-availability-zones.md#concepts) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Virtual Network](../vpn-gateway/create-zone-redundant-vnet-gateway.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Virtual Network NAT](../virtual-network/nat-gateway-resource.md#availability-zones) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Virtual WAN](../virtual-wan/virtual-wan-faq.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [VPN Gateway](../vpn-gateway/about-zone-redundant-vnet-gateways.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| **Databases** | | | | | |
-| [Azure Cache for Redis](../azure-cache-for-redis/cache-overview.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Azure Cosmos DB](../cosmos-db/high-availability.md#availability-zone-support) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Azure Data Explorer](/azure/data-explorer/create-cluster-database-portal) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Azure Database for MySQL - Flexible Server](../mysql/flexible-server/concepts-high-availability.md) | :x: | :x: | :heavy_check_mark: | :heavy_check_mark: | :x: |
-| [Azure Database for PostgreSQL - Flexible Server](../postgresql/flexible-server/overview.md) | :x: | :x: | :heavy_check_mark: | :heavy_check_mark: | :x: |
-| [Azure SQL Database (General Purpose Tier)](../azure-sql/database/high-availability-sla.md#general-purpose-service-tier-zone-redundant-availability-preview) | :x: | :heavy_check_mark:(Preview) | :heavy_check_mark:(Preview) | :heavy_check_mark:(Preview) | :x: |
-| [Azure SQL Database (Premium & Business Critical Tiers)](../azure-sql/database/high-availability-sla.md#premium-and-business-critical-service-tier-zone-redundant-availability) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| **Analytics** | | | | | |
-| [Event Hubs](../event-hubs/index.yml) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| **Integration** | | | | | |
-| [Event Grid](../event-grid/index.yml) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Service Bus](../service-fabric/service-fabric-cross-availability-zones.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| **Management and Governance** | | | | | |
-| [Network Watcher](../network-watcher/frequently-asked-questions.md) | :x: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :x: |
-| **Security** | | | | | |
-| [Azure Active Directory Domain Services](../active-directory-domain-services/overview.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
-
-## Europe
-
-| **Products** | **France Central** | **North Europe** | **UK South** | **West Europe** |
-|--|--|--|--|--|
-| **Compute** | | | | |
-| [App Service Environments (ILB)](../app-service/environment/zone-redundancy.md#how-to-deploy-an-app-service-environment-in-an-availability-zone) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Azure Kubernetes Service (AKS)](../aks/availability-zones.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Service Fabric](../service-fabric/service-fabric-cross-availability-zones.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Virtual Machines Scale Sets](../virtual-machine-scale-sets/virtual-machine-scale-sets-use-availability-zones.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| **Storage** | | | | |
-| [Azure Data Lake Storage Gen2](../storage/common/storage-account-create.md?tabs=azure-portal) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Premium Files Storage](../storage/files/storage-files-planning.md) | | :heavy_check_mark: | :heavy_check_mark: | |
-| [Blob Storage](../storage/blobs/storage-blobs-introduction.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Managed Disks](https://azure.microsoft.com/en-gb/updates/azure-managed-snapshots-images-ga/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| **Networking** | | | | |
-| [Application Gateway V2](../application-gateway/application-gateway-autoscaling-zone-redundant.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Azure Express Route](../expressroute/designing-for-high-availability-with-expressroute.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Azure Firewall](../firewall/deploy-availability-zone-powershell.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Standard IP Address](../virtual-network/public-ip-addresses.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Load Balancer](../load-balancer/load-balancer-standard-availability-zones.md#concepts) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Virtual Network](../vpn-gateway/create-zone-redundant-vnet-gateway.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Virtual Network NAT](../virtual-network/nat-gateway-resource.md#availability-zones) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Virtual WAN](../virtual-wan/virtual-wan-faq.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [VPN Gateway](../vpn-gateway/about-zone-redundant-vnet-gateways.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| **Databases** | | | | |
-| [Azure Cache for Redis](../azure-cache-for-redis/cache-overview.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Azure Cosmos DB](../cosmos-db/high-availability.md#availability-zone-support) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Azure Data Explorer](/azure/data-explorer/create-cluster-database-portal) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Azure Database for MySQL - Flexible Server](../mysql/flexible-server/concepts-high-availability.md) | :x: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Azure Database for PostgreSQL - Flexible Server](../postgresql/flexible-server/overview.md) | :x: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Azure SQL Database (General Purpose Tier)](../azure-sql/database/high-availability-sla.md#general-purpose-service-tier-zone-redundant-availability-preview) | :heavy_check_mark:(Preview) | :heavy_check_mark:(Preview) | :x: | :heavy_check_mark:(Preview) |
-| [Azure SQL Database (Premium & Business Critical Tiers)](../azure-sql/database/high-availability-sla.md#premium-and-business-critical-service-tier-zone-redundant-availability) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| **Analytics** | | | | |
-| [Event Hubs](../event-hubs/index.yml) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| **Integration** | | | | |
-| [Event Grid](../event-grid/index.yml) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Service Bus](../service-fabric/service-fabric-cross-availability-zones.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| **Management and Governance** | | | | |
-| [Network Watcher](../network-watcher/frequently-asked-questions.md) | :heavy_check_mark: | :heavy_check_mark: | :x: | :heavy_check_mark: |
-| **Security** | | | | |
-| [Azure Active Directory Domain Services](../active-directory-domain-services/overview.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | |
-
-## Asia Pacific
---
-| **Products** | **Japan East** | **Southeast Asia** | **Australia East** |
-|--|--|--|--|
-| **Compute** | | | |
-| [App Service Environments (ILB)](../app-service/environment/zone-redundancy.md#how-to-deploy-an-app-service-environment-in-an-availability-zone) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Azure Kubernetes Service (AKS)](../aks/availability-zones.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Service Fabric](../service-fabric/service-fabric-cross-availability-zones.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Virtual Machines Scale Sets](../virtual-machine-scale-sets/virtual-machine-scale-sets-use-availability-zones.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Virtual Machines](https://azure.microsoft.com/services/virtual-machines/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| **Storage** | | | |
-| [Azure Data Lake Storage Gen2](../storage/common/storage-account-create.md?tabs=azure-portal) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Premium Files Storage](../storage/files/storage-files-planning.md) | | :heavy_check_mark: | :heavy_check_mark: |
-| [Blob Storage](../storage/blobs/storage-blobs-introduction.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Managed Disks](https://azure.microsoft.com/en-gb/updates/azure-managed-snapshots-images-ga/) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| **Networking** | | | |
-| [Application Gateway V2](../application-gateway/application-gateway-autoscaling-zone-redundant.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Azure Express Route](../expressroute/designing-for-high-availability-with-expressroute.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Azure Firewall](../firewall/deploy-availability-zone-powershell.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Standard IP Address](../virtual-network/public-ip-addresses.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Load Balancer](../load-balancer/load-balancer-standard-availability-zones.md#concepts) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Virtual Network](../vpn-gateway/create-zone-redundant-vnet-gateway.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Virtual Network NAT](../virtual-network/nat-gateway-resource.md#availability-zones) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Virtual WAN](../virtual-wan/virtual-wan-faq.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [VPN Gateway](../vpn-gateway/about-zone-redundant-vnet-gateways.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| **Databases** | | | |
-| [Azure Cache for Redis](../azure-cache-for-redis/cache-overview.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Azure Cosmos DB](../cosmos-db/high-availability.md#availability-zone-support) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Azure Data Explorer](/azure/data-explorer/create-cluster-database-portal) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Azure Database for MySQL - Flexible Server](../mysql/flexible-server/concepts-high-availability.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Azure Database for PostgreSQL - Flexible Server](../postgresql/flexible-server/overview.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Azure SQL Database (General Purpose Tier)](../azure-sql/database/high-availability-sla.md#general-purpose-service-tier-zone-redundant-availability-preview) | :heavy_check_mark:(Preview) | :heavy_check_mark:(Preview) | :heavy_check_mark:(Preview) |
-| [Azure SQL Database (Premium & Business Critical Tiers)](../azure-sql/database/high-availability-sla.md#premium-and-business-critical-service-tier-zone-redundant-availability) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| **Analytics** | | | |
-| [Event Hubs](../event-hubs/index.yml) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| **Integration** | | | |
-| [Event Grid](../event-grid/index.yml) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| [Service Bus](../service-fabric/service-fabric-cross-availability-zones.md) | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: |
-| **Management and Governance** | | | |
-| [Network Watcher](../network-watcher/frequently-asked-questions.md) | :heavy_check_mark: | :x: | :x: |
-| **Security** | | | |
-| [Azure Active Directory Domain Services](../active-directory-domain-services/overview.md) | :heavy_check_mark: | :heavy_check_mark: | |
--
-## Upcoming Availability Zones
-
-Azure offers Availability Zones support in the following regions:
-- US Gov Virginia-- South Africa North-- South Central US-- Germany West Central-
-The list of existing and upcoming regions that support Availability Zones can be found [here](https://azure.microsoft.com/global-infrastructure/geographies/).
-
-To learn more about Availability Zones support in these regions, contact your Microsoft sales or customer representative.
+### Zone Resilient Services
+
+:globe_with_meridians: Non-Regional Services - Services are always available from Azure geographies and are resilient to zone-wide outages as well as region-wide outages.
+
+:large_blue_diamond: Resilient to the zone-wide outages
+
+**Foundational Services**
+
+| Products | Resiliency |
+|--|:-:|
+| Storage Account | :large_blue_diamond: |
+| Application Gateway (V2) | :large_blue_diamond: |
+| Azure Backup | :large_blue_diamond: |
+| Azure Cosmos DB | :large_blue_diamond: |
+| Azure Data Lake Storage Gen 2 | :large_blue_diamond: |
+| Azure Express Route | :large_blue_diamond: |
+| Azure Public IP | :large_blue_diamond: |
+| Azure SQL Database (General Purpose Tier) | :large_blue_diamond: |
+| Azure SQL Database (Premium & Business Critical Tier) | :large_blue_diamond: |
+| Disk Storage | :large_blue_diamond: |
+| Event Hubs | :large_blue_diamond: |
+| Key Vault | :large_blue_diamond: |
+| Load Balancer | :large_blue_diamond: |
+| Service Bus | :large_blue_diamond: |
+| Service Fabric | :large_blue_diamond: |
+| Storage: Hot/Cool Blob Storage Tiers | :large_blue_diamond: |
+| Storage: Managed Disks | :large_blue_diamond: |
+| Virtual Machines Scale Sets | :large_blue_diamond: |
+| Virtual Machines | :large_blue_diamond: |
+| Virtual Machines: Av2-Series | :large_blue_diamond: |
+| Virtual Machines: Bs-Series | :large_blue_diamond: |
+| Virtual Machines: DSv2-Series | :large_blue_diamond: |
+| Virtual Machines: DSv3-Series | :large_blue_diamond: |
+| Virtual Machines: Dv2-Series | :large_blue_diamond: |
+| Virtual Machines: Dv3-Series | :large_blue_diamond: |
+| Virtual Machines: ESv3-Series | :large_blue_diamond: |
+| Virtual Machines: Ev3-Series | :large_blue_diamond: |
+| Virtual Network | :large_blue_diamond: |
+| VPN Gateway | :large_blue_diamond: |
++
+**Mainstream services**
+
+| Products | Resiliency |
+|-|::|
+| App Service Environments | :large_blue_diamond: |
+| Azure Active Directory Domain Services | :large_blue_diamond: |
+| Azure Bastion | :large_blue_diamond: |
+| Azure Cache for Redis | :large_blue_diamond: |
+| Azure Cognitive
+| Azure Data Explorer | :large_blue_diamond: |
+| Azure Database for MySQL ΓÇô Flexible Server | :large_blue_diamond: |
+| Azure Database for PostgreSQL ΓÇô Flexible Server | :large_blue_diamond: |
+| Azure DDoS Protection | :large_blue_diamond: |
+| Azure Firewall | :large_blue_diamond: |
+| Azure Firewall Manager | :large_blue_diamond: |
+| Azure Kubernetes Service (AKS) | :large_blue_diamond: |
+| Azure Private Link | :large_blue_diamond: |
+| Azure Red Hat OpenShift | :large_blue_diamond: |
+| Azure Site Recovery | :large_blue_diamond: |
+| Container Registry | :large_blue_diamond: |
+| Event Grid | :large_blue_diamond: |
+| Network Watcher | :large_blue_diamond: |
+| Power BI Embedded | :large_blue_diamond: |
+| Premium Blob Storage | :large_blue_diamond: |
+| Virtual Machines: Ddsv4-Series | :large_blue_diamond: |
+| Virtual Machines: Ddv4-Series | :large_blue_diamond: |
+| Virtual Machines: Dsv4-Series | :large_blue_diamond: |
+| Virtual Machines: Dv4-Series | :large_blue_diamond: |
+| Virtual Machines: Edsv4-Series | :large_blue_diamond: |
+| Virtual Machines: Edv4-Series | :large_blue_diamond: |
+| Virtual Machines: Esv4-Series | :large_blue_diamond: |
+| Virtual Machines: Ev4-Series | :large_blue_diamond: |
+| Virtual Machines: Fsv2-Series | :large_blue_diamond: |
+| Virtual Machines: M-Series | :large_blue_diamond: |
+| Virtual WAN | :large_blue_diamond: |
++
+**Non-regional**
+
+| Products | Resiliency |
+|--|:-:|
+| Azure DNS | :globe_with_meridians: |
+| Azure Active Directory | :globe_with_meridians: |
+| Azure Advisor | :globe_with_meridians: |
+| Azure Bot Services | :globe_with_meridians: |
+| Azure Defender for IoT | :globe_with_meridians: |
+| Azure Information Protection | :globe_with_meridians: |
+| Azure Lighthouse | :globe_with_meridians: |
+| Azure Managed Applications | :globe_with_meridians: |
+| Azure Maps | :globe_with_meridians: |
+| Azure Policy | :globe_with_meridians: |
+| Azure Resource Graph | :globe_with_meridians: |
+| Azure Stack | :globe_with_meridians: |
+| Azure Stack Edge | :globe_with_meridians: |
+| Cloud Shell | :globe_with_meridians: |
+| Customer Lockbox for Microsoft Azure | :globe_with_meridians: |
+| Microsoft Azure Peering Service | :globe_with_meridians: |
+| Microsoft Azure portal | :globe_with_meridians: |
+| Security Center | :globe_with_meridians: |
+| Traffic Manager | :globe_with_meridians: |
## Pricing for VMs in Availability Zones
azure-app-configuration https://docs.microsoft.com/en-us/azure/azure-app-configuration/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-app-configuration/policy-reference.md a/articles/azure-app-configuration/policy-reference.md
@@ -1,7 +1,7 @@
Title: Built-in policy definitions for Azure App Configuration description: Lists Azure Policy built-in policy definitions for Azure App Configuration. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/kubernetes/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/kubernetes/policy-reference.md a/articles/azure-arc/kubernetes/policy-reference.md
@@ -1,7 +1,7 @@
Title: Built-in policy definitions for Azure Arc enabled Kubernetes description: Lists Azure Policy built-in policy definitions for Azure Arc enabled Kubernetes. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021 #
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/servers/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/policy-reference.md a/articles/azure-arc/servers/policy-reference.md
@@ -1,7 +1,7 @@
Title: Built-in policy definitions for Azure Arc enabled servers description: Lists Azure Policy built-in policy definitions for Azure Arc enabled servers (preview). These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
azure-arc https://docs.microsoft.com/en-us/azure/azure-arc/servers/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-arc/servers/security-controls-policy.md a/articles/azure-arc/servers/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure Arc enabled servers (preview) description: Lists Azure Policy Regulatory Compliance controls available for Azure Arc enabled servers (preview). These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
azure-cache-for-redis https://docs.microsoft.com/en-us/azure/azure-cache-for-redis/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/policy-reference.md a/articles/azure-cache-for-redis/policy-reference.md
@@ -1,7 +1,7 @@
Title: Built-in policy definitions for Azure Cache for Redis description: Lists Azure Policy built-in policy definitions for Azure Cache for Redis. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
azure-cache-for-redis https://docs.microsoft.com/en-us/azure/azure-cache-for-redis/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-cache-for-redis/security-controls-policy.md a/articles/azure-cache-for-redis/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure Cache for Redis description: Lists Azure Policy Regulatory Compliance controls available for Azure Cache for Redis. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
azure-functions https://docs.microsoft.com/en-us/azure/azure-functions/create-first-function-cli-python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/create-first-function-cli-python.md a/articles/azure-functions/create-first-function-cli-python.md
@@ -30,7 +30,7 @@ Before you begin, you must have the following:
+ [Azure PowerShell](/powershell/azure/install-az-ps) version 5.0 or later.
-+ [Python 3.8 (64-bit)](https://www.python.org/downloads/release/python-382/), [Python 3.7 (64-bit)](https://www.python.org/downloads/release/python-375/), [Python 3.6 (64-bit)](https://www.python.org/downloads/release/python-368/), which are all supported by version 3.x of Azure Functions.
++ [Python versions that are supported by Azure Functions](supported-languages.md#languages-by-runtime-version) ### Prerequisite check
azure-functions https://docs.microsoft.com/en-us/azure/azure-functions/create-first-function-vs-code-python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/create-first-function-vs-code-python.md a/articles/azure-functions/create-first-function-vs-code-python.md
@@ -24,7 +24,7 @@ Before you get started, make sure you have the following requirements in place:
+ The [Azure Functions Core Tools](functions-run-local.md#install-the-azure-functions-core-tools) version 3.x.
-+ [Python 3.8](https://www.python.org/downloads/release/python-381/), [Python 3.7](https://www.python.org/downloads/release/python-375/), [Python 3.6](https://www.python.org/downloads/release/python-368/) are supported by Azure Functions (x64).
++ [Python versions that are supported by Azure Functions](supported-languages.md#languages-by-runtime-version) + [Visual Studio Code](https://code.visualstudio.com/) on one of the [supported platforms](https://code.visualstudio.com/docs/supporting/requirements#_platforms).
azure-functions https://docs.microsoft.com/en-us/azure/azure-functions/functions-app-settings https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-app-settings.md a/articles/azure-functions/functions-app-settings.md
@@ -234,7 +234,7 @@ Only used when deploying to a Consumption or Premium plans running on Windows. N
## WEBSITE\_CONTENTOVERVNET
-For Premium plans only. A value of `1` enables your function app to scale when you have your storage account restricted to a virtual network. You should enable this setting when restricting your storage account to a virtual network. To learn more, see [Restrict your storage account to a virtual network](functions-networking-options.md#restrict-your-storage-account-to-a-virtual-network-preview).
+For Premium plans only. A value of `1` enables your function app to scale when you have your storage account restricted to a virtual network. You should enable this setting when restricting your storage account to a virtual network. To learn more, see [Restrict your storage account to a virtual network](functions-networking-options.md#restrict-your-storage-account-to-a-virtual-network).
|Key|Sample value| |||
azure-functions https://docs.microsoft.com/en-us/azure/azure-functions/functions-dotnet-class-library https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-dotnet-class-library.md a/articles/azure-functions/functions-dotnet-class-library.md
@@ -17,7 +17,7 @@ As a C# developer, you may also be interested in one of the following articles:
| Getting started | Concepts| Guided learning/samples | | -- | -- | -- |
-| <ul><li>[Using Visual Studio](functions-create-your-first-function-visual-studio.md)</li><li>[Using Visual Studio Code](create-first-function-vs-code-csharp.md)</li><li>[Using command line tools](create-first-function-cli-csharp.md)</li></ul> | <ul><li>[Hosting options](functions-scale.md)</li><li>[Performance&nbsp; considerations](functions-best-practices.md)</li><li>[Visual Studio development](functions-develop-vs.md)</li><li>[Dependency injection](functions-dotnet-dependency-injection.md)</li></ul> | <ul><li>[Create serverless applications](/learn/paths/create-serverless-applications/)</li><li>[C# samples](/samples/browse/?products=azure-functions&languages=csharp)</li></ul> |
+| <ul><li>[Using Visual Studio](functions-create-your-first-function-visual-studio.md)</li><li>[Using Visual Studio Code](create-first-function-vs-code-csharp.md)</li><li>[Using command line tools](create-first-function-cli-csharp.md)</li></ul> | <ul><li>[Hosting options](functions-scale.md)</li><li>[Performance&nbsp;considerations](functions-best-practices.md)</li><li>[Visual Studio development](functions-develop-vs.md)</li><li>[Dependency injection](functions-dotnet-dependency-injection.md)</li></ul> | <ul><li>[Create serverless applications](/learn/paths/create-serverless-applications/)</li><li>[C# samples](/samples/browse/?products=azure-functions&languages=csharp)</li></ul> |
Azure Functions supports C# and C# script programming languages. If you're looking for guidance on [using C# in the Azure portal](functions-create-function-app-portal.md), see [C# script (.csx) developer reference](functions-reference-csharp.md).
azure-functions https://docs.microsoft.com/en-us/azure/azure-functions/functions-how-to-use-azure-function-app-settings https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-how-to-use-azure-function-app-settings.md a/articles/azure-functions/functions-how-to-use-azure-function-app-settings.md
@@ -33,6 +33,8 @@ These settings are stored encrypted. To learn more, see [Application settings se
# [Portal](#tab/portal)
+To find the application settings, see [Get started in the Azure portal](#get-started-in-the-azure-portal).
+ The **Application settings** tab maintains settings that are used by your function app. You must select **Show values** to see the values in the portal. To add a setting in the portal, select **New application setting** and add the new key-value pair.
azure-functions https://docs.microsoft.com/en-us/azure/azure-functions/functions-networking-options https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-functions/functions-networking-options.md a/articles/azure-functions/functions-networking-options.md
@@ -1,10 +1,10 @@
Title: Azure Functions networking options description: An overview of all networking options available in Azure Functions.-+ Previously updated : 10/27/2020- Last updated : 1/21/2021+ # Azure Functions networking options
@@ -80,12 +80,9 @@ To provide a higher level of security, you can restrict a number of Azure servic
To learn more, see [Virtual network service endpoints](../virtual-network/virtual-network-service-endpoints-overview.md).
-## Restrict your storage account to a virtual network (preview)
+## Restrict your storage account to a virtual network
-When you create a function app, you must create or link to a general-purpose Azure Storage account that supports Blob, Queue, and Table storage. You can replace this storage account with one that is secured with service endpoints or private endpoint. This preview feature currently only works with Windows Premium plans in West Europe. To set up a function with a storage account restricted to a private network:
-
-> [!NOTE]
-> Restricting the storage account only currently works for Premium functions using Windows in West Europe
+When you create a function app, you must create or link to a general-purpose Azure Storage account that supports Blob, Queue, and Table storage. You can replace this storage account with one that is secured with service endpoints or private endpoint. This feature currently only works with Windows Premium plans. To set up a function with a storage account restricted to a private network:
1. Create a function with a storage account that does not have service endpoints enabled. 1. Configure the function to connect to your virtual network.
azure-government https://docs.microsoft.com/en-us/azure/azure-government/documentation-government-impact-level-5 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-government/documentation-government-impact-level-5.md a/articles/azure-government/documentation-government-impact-level-5.md
@@ -10,7 +10,7 @@ ms.devlang: na
na Previously updated : 1/11/2021 Last updated : 1/25/2021 #Customer intent: As a DoD mission owner, I want to know how to implement a workload at Impact Level 5 in Microsoft Azure Government.
@@ -85,6 +85,12 @@ The Azure Cognitive Services Content Moderator service supports Impact Level 5 w
- Configure encryption at rest of content in the Content Moderator service by [using customer-managed keys in Azure Key Vault](../cognitive-services/content-moderator/content-moderator-encryption-of-data-at-rest.md).
+### [Cognitive
+
+Custom Vision supports Impact Level 5 workloads in Azure Government with this configuration:
+
+- Configure encryption at rest of content in Cognitive Services Custom Vision [using customer-managed keys in Azure Key Vault](https://docs.microsoft.com/azure/cognitive-services/custom-vision-service/custom-vision-encryption-of-data-at-rest#customer-managed-keys-with-azure-key-vault)
+ ### [Cognitive The Cognitive Services Face service supports Impact Level 5 workloads in Azure Government with this configuration:
@@ -97,6 +103,18 @@ The Cognitive Services Language Understanding service supports Impact Level 5 wo
- Configure encryption at rest of content in the Language Understanding service by [using customer-managed keys in Azure Key Vault](../cognitive-services/luis/luis-encryption-of-data-at-rest.md).
+### [Cognitive
+
+Personalizer supports Impact Level 5 workloads in Azure Government with this configuration:
+
+- Configure encryption at rest of content in Cognitive Services Personalizer [using customer-managed keys in Azure Key Vault](https://docs.microsoft.com/azure/cognitive-services/personalizer/personalizer-encryption-of-data-at-rest)
+
+### [Cognitive
+
+Cognitive Services QnA Maker supports Impact Level 5 workloads in Azure Government with this configuration:
+
+- Configure encryption at rest of content in Cognitive Services QnA Maker [using customer-managed keys in Azure Key Vault](https://docs.microsoft.com/azure/cognitive-services/qnamaker/qna-maker-encryption-of-data-at-rest)
+ ### [Cognitive The Cognitive Services Text Analytics service supports Impact Level 5 workloads in Azure Government with no additional configuration required.
@@ -121,6 +139,18 @@ For Analytics services availability in Azure Government, see [Products available
Azure Analysis Services supports Impact Level 5 workloads in Azure Government with no additional configuration required.
+### [Azure Databricks](https://azure.microsoft.com/services/databricks/)
+
+Azure Databricks supports Impact Level 5 workloads in Azure Government with this configuration:
+
+- Azure Databricks can be deployed to existing storage accounts which have enabled appropriate [Storage Encryption with Key Vault Managed Keys](https://docs.microsoft.com/azure/azure-government/documentation-government-impact-level-5#storage-encryption-with-key-vault-managed-keys)
+- Leverage [Isolated Virtual Machines](https://docs.microsoft.com/azure/security/fundamentals/isolation-choices#isolated-virtual-machine-sizes) as the ΓÇ£Worker TypeΓÇ¥ when launching Azure Databricks clusters. Isolated VM types when deployed, consume the entire physical host for that VM providing the necessary level of isolation required to support IL5 workloads.
+- Configure Customer-Managed Keys (CMK) for your [Azure Databricks Workspace](https://docs.microsoft.com/azure/databricks/security/keys/customer-managed-key-notebook) and [DBFS](https://docs.microsoft.com/azure/databricks/security/keys/customer-managed-keys-dbfs/).
+
+### [Azure Data Share](https://azure.microsoft.com/services/data-share/)
+
+Azure Data Share supports Impact Level 5 workloads in Azure Government with no additional configuration required.
+ ### [Azure Data Explorer](https://azure.microsoft.com/services/data-explorer/) Azure Data Explorer supports Impact Level 5 workloads in Azure Government with this configuration:
@@ -244,6 +274,10 @@ You can encrypt disks that support virtual machine scale sets by using Azure Dis
- [Encrypt disks in virtual machine scale sets](../virtual-machine-scale-sets/disk-encryption-powershell.md)
+### [Windows Virtual Desktop](https://azure.microsoft.com/services/virtual-desktop/)
+
+Windows Virtual Desktop supports Impact Level 5 workloads in Azure Government with no additional configuration required.
+ ## Containers For Containers services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=openshift,app-service-linux,container-registry,service-fabric,container-instances,kubernetes-service&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
@@ -273,6 +307,12 @@ Azure Container Registry supports Impact Level 5 workloads in Azure Government w
For Databases services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=azure-sql,sql-server-stretch-database,redis-cache,database-migration,postgresql,mariadb,mysql,sql-database,cosmos-db&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
+### [Azure API for FHIR](https://azure.microsoft.com/services/azure-api-for-fhir/)
+
+Azure API for FHIR supports Impact Level 5 workloads in Azure Government with this configuration:
+
+- Configure encryption at rest of content in Azure API for FHIR [using customer-managed keys in Azure Key Vault](https://docs.microsoft.com/azure/healthcare-apis/bring-your-own-key)
+ ### [Azure Cache for Redis](https://azure.microsoft.com/services/cache/) Azure Cache for Redis supports Impact Level 5 workloads in Azure Government with no additional configuration required.
@@ -329,6 +369,10 @@ For Identity services availability in Azure Government, see [Products available
Azure Active Directory supports Impact Level 5 workloads in Azure Government with no additional configuration required.
+### [Azure Active Directory Domain Services](https://azure.microsoft.com/services/active-directory-ds/)
+
+Azure Active Directory Domain Services supports Impact Level 5 workloads in Azure Government with no additional configuration required.
+ ### [Multifactor authentication](../active-directory/authentication/concept-mfa-howitworks.md) Multifactor authentication supports Impact Level 5 workloads in Azure Government with no additional configuration required.
@@ -446,6 +490,10 @@ Azure Resource Manager supports Impact Level 5 workloads in Azure Government wit
Azure Scheduler is being retired and replaced by [Azure Logic Apps](#logic-apps). To continue working with the jobs that you set up in Scheduler, please [migrate to Azure Logic Apps](../scheduler/migrate-from-scheduler-to-logic-apps.md) as soon as you can.
+### [Azure Service Health](https://azure.microsoft.com/features/service-health/)
+
+Azure Service Health supports Impact Level 5 workloads in Azure Government with no additional configuration required.
+ ### [Azure Site Recovery](https://azure.microsoft.com/services/site-recovery/) Azure Site Recovery supports Impact Level 5 workloads in Azure Government with this configuration:
@@ -464,6 +512,10 @@ Log Analytics is intended to be used for monitoring the health and status of ser
Log Analytics may also be used to ingest additional customer-provided logs. These logs may include data ingested as part of operating Azure Security Center or Azure Sentinel. If the ingested logs or the queries written against these logs are categorized as IL5 data, then you should configure customer-managed keys (CMK) for your Log Analytics workspaces and Application Insights components. Once configured, any data sent to your workspaces or components is encrypted with your Azure Key Vault key. For more information, see [Azure Monitor customer-managed keys](../azure-monitor/platform/customer-managed-keys.md).
+### [Microsoft Intune](/intune/what-is-intune)
+
+Intune supports Impact Level 5 workloads in Azure Government with no additional configuration required.
+ ## Media For Media services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=media-services&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
@@ -472,10 +524,20 @@ For Media services availability in Azure Government, see [Products available by
Azure Media Services supports Impact Level 5 workloads in Azure Government with no additional configuration required.
+### [Content Delivery Network](https://azure.microsoft.com/services/cdn/)
+
+Content Delivery Network supports Impact Level 5 workloads in Azure Government with no additional configuration required.
+ ## Migration For Migration services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=database-migration,azure-migrate&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
+### [Azure Data Box](https://azure.microsoft.com/services/databox/)
+
+Azure Data Box supports Impact Level 5 workloads in Azure Government with this configuration:
+
+- Configure encryption at rest of content in Azure Data Box [using customer-managed keys in Azure Key Vault](https://docs.microsoft.com/azure/databox/data-box-customer-managed-encryption-key-portal)
+ ### [Azure Migrate](https://azure.microsoft.com/services/azure-migrate/) Azure Migrate supports Impact Level 5 workloads in Azure Government with this configuration:
@@ -494,6 +556,14 @@ For Networking services availability in Azure Government, see [Products availabl
Azure Application Gateway supports Impact Level 5 workloads in Azure Government with no additional configuration required.
+### [Azure Bastion](https://azure.microsoft.com/services/azure-bastion/)
+
+Azure Bastion supports Impact Level 5 workloads in Azure Government with no additional configuration required.
+
+### [Azure DDoS Protection](https://azure.microsoft.com/services/ddos-protection/)
+
+Azure DDoS Protection supports Impact Level 5 workloads in Azure Government with no additional configuration required.
+ ### [Azure DNS](https://azure.microsoft.com/services/dns/) Azure DNS supports Impact Level 5 workloads in Azure Government with no additional configuration required.
@@ -510,6 +580,14 @@ Azure Firewall supports Impact Level 5 workloads in Azure Government with no add
Azure Front Door supports Impact Level 5 workloads in Azure Government with no additional configuration required.
+### [Azure Peering Service](https://docs.microsoft.com/azure/peering-service/about)
+
+Microsoft Peering Service supports Impact Level 5 workloads in Azure Government with no additional configuration required.
+
+### [Azure Private Link](https://azure.microsoft.com/services/private-link/)
+
+Azure Private Link supports Impact Level 5 workloads in Azure Government with no additional configuration required.
+ ### [Load Balancer](https://azure.microsoft.com/services/load-balancer/) Azure Load Balancer supports Impact Level 5 workloads in Azure Government with no additional configuration required.
@@ -526,10 +604,18 @@ Azure Traffic Manager supports Impact Level 5 workloads in Azure Government with
Azure Virtual Network supports Impact Level 5 workloads in Azure Government with no additional configuration required.
+### [Virtual NAT](../virtual-network/nat-overview.md)
+
+Virtual NAT supports Impact Level 5 workloads in Azure Government with no additional configuration required.
+ ### [VPN Gateway](https://azure.microsoft.com/services/vpn-gateway/) Azure VPN Gateway supports Impact Level 5 workloads in Azure Government with no additional configuration required.
+### [Web Application Firewall](https://azure.microsoft.com/services/web-application-firewall/)
+
+Web Application Firewall supports Impact Level 5 workloads in Azure Government with no additional configuration required.
+ ## Security For Security services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=azure-sentinel,azure-dedicated-hsm,security-center,key-vault&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
@@ -538,6 +624,12 @@ For Security services availability in Azure Government, see [Products available
Azure Dedicated HSM supports Impact Level 5 workloads in Azure Government with no additional configuration required.
+### [Azure Information Protection](https://azure.microsoft.com/services/information-protection/)
+
+Azure Information Protection supports Impact Level 5 workloads in Azure Government with this configuration:
+
+- Configure encryption at rest of content in Azure Information Protection [using customer-managed keys in Azure Key Vault](https://docs.microsoft.com/azure/information-protection/byok-price-restrictions)
+ ### [Azure Sentinel](https://azure.microsoft.com/services/azure-sentinel/) Azure Sentinel supports Impact Level 5 workloads in Azure Government with this configuration:
@@ -556,6 +648,12 @@ Azure Security Center supports Impact Level 5 workloads in Azure Government with
Customer Lockbox for Microsoft Azure supports Impact Level 5 workloads in Azure Government with no additional configuration required. It is available and authorized at IL5 in Azure Government US Gov Arizona, US Gov Texas, and US Gov Virginia regions.
+### [Microsoft Cloud App Security](https://docs.microsoft.com/cloud-app-security/)
+
+Microsoft Cloud App Security supports Impact Level 5 workloads in Azure Government with this configuration:
+
+- Configure encryption at rest of content in Microsoft Cloud App Security [using customer-managed keys in Azure Key Vault](https://docs.microsoft.com/cloud-app-security/cas-compliance-trust#security)
+ ### [Microsoft Defender for Endpoint](/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) Defender for Endpoint (formerly Microsoft Defender Advanced Threat Protection, also known as Microsoft Defender ATP) supports Impact Level 5 workloads in Azure Government with no additional configuration required. It is available and [authorized at IL5](./compliance/azure-services-in-fedramp-auditscope.md#azure-government-services-by-audit-scope) in Azure Government and Azure Government for DoD regions.
@@ -572,6 +670,12 @@ Microsoft Graph supports Impact Level 5 workloads in Azure Government with no ad
For Storage services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=hpc-cache,managed-disks,storsimple,storage&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
+### [Azure HPC Cache](https://azure.microsoft.com/services/hpc-cache/)
+
+Azure HPC Cache supports Impact Level 5 workloads in Azure Government with this configuration:
+
+- Configure encryption at rest of content in Azure HPC Cache [using customer-managed keys in Azure Key Vault](https://docs.microsoft.com/azure/hpc-cache/customer-keys)
+ ### [Azure Import/Export service](../import-export/storage-import-export-service.md) Azure Import/Export service can be used in Azure Government to import and export Impact Level 5 data. By default, the Import/Export service will encrypt data that's written to the hard drive for transport. When you create a target storage account for import and export of Impact Level 5 data, add storage encryption via customer-managed keys. For more information, see the [storage services section](#storage-encryption-with-key-vault-managed-keys) of this document.
@@ -584,6 +688,12 @@ Azure Archive Storage can be used in Azure Government to support Impact Level 5
The target storage account for Archive Storage can be located in any Azure Government or Azure Government for DoD region.
+### [Azure Netapp Files](https://azure.microsoft.com/services/netapp/)
+
+Azure Netapp Files supports Impact Level 5 workloads in Azure Government with this configuration:
+
+- Configure encryption at rest of content in Azure Netapp Files [using customer-managed keys in Azure Key Vault](https://docs.microsoft.com/azure/azure-netapp-files/azure-netapp-files-faqs#security-faqs)
+ ### [Storage](https://azure.microsoft.com/services/storage/) Azure Storage consists of multiple data features: Blob Storage, File Storage, Table Storage, and Queue Storage. Blob Storage supports both standard and premium storage. Premium storage uses only SSDs, to provide the fastest performance possible. Storage also includes configurations that modify these storage types, like hot and cool to provide appropriate speed-of-availability for data scenarios.
@@ -618,6 +728,10 @@ StorSimple supports Impact Level 5 workloads in Azure Government with this confi
For Web services availability in Azure Government, see [Products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=spring-cloud,signalr-service,app-service-linux,app-service&regions=non-regional,usgov-non-regional,us-dod-central,us-dod-east,usgov-arizona,usgov-texas,usgov-virginia).
+### [Azure SignalR Service](https://azure.microsoft.com/services/signalr-service/)
+
+Azure SignalR Service supports Impact Level 5 workloads in Azure Government with no additional configuration required.
+ ### [Web Apps feature of Azure App Service](https://azure.microsoft.com/services/app-service/web/) Web Apps supports Impact Level 5 workloads in Azure Government with this configuration:
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/app/codeless-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/codeless-overview.md a/articles/azure-monitor/app/codeless-overview.md
@@ -19,17 +19,17 @@ Application Insights is integrated with various resource providers and works on
As we're adding more and more integrations, the auto-instrumentation capability matrix becomes complex. The table below shows you the current state of the matter as far as support for various resource providers, languages, and environments go.
-|Environment/Resource Provider | .NET | .NET Core | Java | Node.js |
-||--|--|--|--|
-|Azure App Service on Windows | GA, OnBD* | GA, opt-in | Private Preview | Private Preview |
-|Azure App Service on Linux | N/A | Not supported | Private Preview | Public Preview |
-|Azure App Service on AKS | N/A | In design | In design | In design |
-|Azure Functions - basic | GA, OnBD* | GA, OnBD* | GA, OnBD* | GA, OnBD* |
-|Azure Functions Windows - dependencies | Not supported | Not supported | Public Preview | Not supported |
-|Azure Kubernetes Service | N/A | In design | Through agent | In design |
-|Azure VMs Windows | Public Preview | Not supported | Not supported | Not supported |
-|On-Premises VMs Windows | GA, opt-in | Not supported | Through agent | Not supported |
-|Standalone agent - any env. | Not supported | Not supported | GA | Not supported |
+|Environment/Resource Provider | .NET | .NET Core | Java | Node.js | Python |
+||--|--|--|--|--|
+|Azure App Service on Windows | GA, OnBD* | GA, opt-in | Private Preview | Private Preview | Not supported |
+|Azure App Service on Linux | N/A | Not supported | Private Preview | Public Preview | Not supported |
+|Azure App Service on AKS | N/A | In design | In design | In design | Not supported |
+|Azure Functions - basic | GA, OnBD* | GA, OnBD* | GA, OnBD* | GA, OnBD* | GA, OnBD* |
+|Azure Functions Windows - dependencies | Not supported | Not supported | Public Preview | Not supported | Not supported |
+|Azure Kubernetes Service | N/A | In design | Through agent | In design | Not supported |
+|Azure VMs Windows | Public Preview | Not supported | Not supported | Not supported | Not supported |
+|On-Premises VMs Windows | GA, opt-in | Not supported | Through agent | Not supported | Not supported |
+|Standalone agent - any env. | Not supported | Not supported | GA | Not supported | Not supported |
*OnBD is short for On by Default - the Application Insights will be enabled automatically once you deploy your app in supported environments.
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/app/java-standalone-troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/app/java-standalone-troubleshoot.md a/articles/azure-monitor/app/java-standalone-troubleshoot.md
@@ -46,36 +46,66 @@ See the [auto-collected logging configuration](./java-standalone-config.md#auto-
## Import SSL certificates
-If you're using the default Java keystore, it will already have all of the CA root certificates. You shouldn't need to import more SSL certificates.
+This section helps you to troubleshoot and possibly fix the exceptions related to SSL certificates when using the Java agent.
-If you're using a custom Java keystore, you might need to import the Application Insights endpoint SSL certificates into it.
+There are two different paths to troubleshoot this issue.
-### Key terminology
-A *keystore* is a repository of certificates, public keys, and private keys. Usually, Java Development Kit distributions have an executable to manage them: `keytool`.
+### If using a default Java Keystore:
-The following example is a simple command to import an SSL certificate to the keystore:
+Typically the default Java keystore will already have all of the CA root certificates. However there might be some exceptions, such as the ingestion endpoint certificate might be signed by a different root certificate. So we recommend the following three steps to resolve this issue:
-`keytool -importcert -alias your_ssl_certificate -file "your downloaded SSL certificate name".cer -keystore "Your KeyStore name" -storepass "Your keystore password" -noprompt`
+1. Check if the root certificate that was used to sign the Application Insights endpoint is already present in the default keystore. The trusted CA certificates, by default, are stored in `$JAVA_HOME/jre/lib/security/cacerts`. To list certificates in a Java keystore use the following command:
+ > `keytool -list -v -keystore $PATH_TO_KEYSTORE_FILE`
+
+ You can redirect the output to a temp file like this (will be easy to search later)
+ > `keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts > temp.txt`
-### Steps to download and add an SSL certificate
+2. Once you have the list of certificates, follow these [steps](#steps-to-download-ssl-certificate) to download the root certificate that was used to sign the Application Insights endpoint.
+
+ Once you have the certificate downloaded, generate a SHA-1 hash on the certificate using the below command:
+ > `keytool -printcert -v -file "your_downloaded_root_certificate.cer"`
+
+ Copy the SHA-1 value and check if this value is present in "temp.txt" file you saved previously. If you are not able to find the SHA-1 value in the temp file, it indicates that the downloaded root cert is missing in default Java Keystore.
++
+3. Import the root certificate to the default Java keystore using the following command:
+ > `keytool -import -file "the cert file" -alias "some meaningful name" -keystore "path to cacerts file"`
+
+ In this case it will be
+
+ > `keytool -import -file "your downloaded root cert file" -alias "some meaningful name" $JAVA_HOME/jre/lib/security/cacerts`
++
+### If using a custom Java Keystore:
+
+If you are using a custom Java keystore, you may need to import the Application Insights endpoint(s) root SSL certificate(s) into it.
+We recommend the following two steps to resolve this issue:
+1. Follow these [steps](#steps-to-download-ssl-certificate) to download the root certificate from the Application Insights endpoint.
+2. Use the following command to import the root SSL certificate to the custom Java keystore:
+ > `keytool -importcert -alias your_ssl_certificate -file "your downloaded SSL certificate name.cer" -keystore "Your KeyStore name" -storepass "Your keystore password" -noprompt`
+
+### Steps to download SSL certificate
1. Open your favorite browser and go to the `IngestionEndpoint` URL present in the connection string that's used to instrument your application.
- :::image type="content" source="media/java-ipa/troubleshooting/ingestion-endpoint-url.png" alt-text="Screenshot that shows an Application Insights connection string.":::
+ :::image type="content" source="media/java-ipa/troubleshooting/ingestion-endpoint-snippet.png" alt-text="Screenshot that shows an Application Insights connection string." lightbox="media/java-ipa/troubleshooting/ingestion-endpoint-snippet.png":::
2. Select the **View site information** (lock) icon in the browser, and then select the **Certificate** option.
- :::image type="content" source="media/java-ipa/troubleshooting/certificate-icon-capture.png" alt-text="Screenshot of the Certificate option in site information.":::
+ :::image type="content" source="media/java-ipa/troubleshooting/certificate-icon-capture.png" alt-text="Screenshot of the Certificate option in site information." lightbox="media/java-ipa/troubleshooting/certificate-icon-capture.png":::
+
+3. Instead of downloading the 'leaf' certificate you should download the 'root' certificate as shown below. Later, you have to click on the "Certificate Path" -> Select the Root Certificate -> Click on 'View Certificate'. This will pop up a new certificate menu and you can download the certificate, from the new menu.
+
+ :::image type="content" source="media/java-ipa/troubleshooting/root-certificate-selection.png" alt-text="Screenshot of how to select the root certificate." lightbox="media/java-ipa/troubleshooting/root-certificate-selection.png":::
-3. Go to the **Details** tab and select **Copy to file**.
-4. Select the **Next** button, select **Base-64 encoded X.509 (.CER)** format, and then select **Next** again.
+4. Go to the **Details** tab and select **Copy to file**.
+5. Select the **Next** button, select **Base-64 encoded X.509 (.CER)** format, and then select **Next** again.
- :::image type="content" source="media/java-ipa/troubleshooting/certificate-export-wizard.png" alt-text="Screenshot of the Certificate Export Wizard, with a format selected.":::
+ :::image type="content" source="media/java-ipa/troubleshooting/certificate-export-wizard.png" alt-text="Screenshot of the Certificate Export Wizard, with a format selected." lightbox="media/java-ipa/troubleshooting/certificate-export-wizard.png":::
-5. Specify the file where you want to save the SSL certificate. Then select **Next** > **Finish**. You should see a "The export was successful" message.
-6. After you have the certificate, it's time to import the certificate into a Java keystore. Use the [preceding command](#key-terminology) to import certificates.
+6. Specify the file where you want to save the SSL certificate. Then select **Next** > **Finish**. You should see a "The export was successful" message.
> [!WARNING] > You'll need to repeat these steps to get the new certificate before the current certificate expires. You can find the expiration information on the **Details** tab of the **Certificate** dialog box. >
-> :::image type="content" source="media/java-ipa/troubleshooting/certificate-details.png" alt-text="Screenshot that shows SSL certificate details.":::
+> :::image type="content" source="media/java-ipa/troubleshooting/certificate-details.png" alt-text="Screenshot that shows SSL certificate details." lightbox="media/java-ipa/troubleshooting/certificate-details.png":::
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/faq.md a/articles/azure-monitor/faq.md
@@ -377,6 +377,12 @@ Use a single resource for all the components or roles in a single business syste
* If one real user uses your site in different browsers, or using in-private/incognito browsing, or different machines, then they will be counted more than once. * To identify a logged-in user across machines and browsers, add a call to [setAuthenticatedUserContext()](app/api-custom-events-metrics.md#authenticated-users).
+### How does Application Insights generate device information (Browser, OS, Language, Model)?
+
+The browser passes the User Agent string in the HTTP header of the request, and the Application Insights ingestion service uses [UA Parser](https://github.com/ua-parser/uap-core) to generate the fields you see in the data tables and experiences. As a result, Application Insights users are unable to change these fields.
+
+Occasionally this data may be missing or inaccurate if the user or enterprise disables sending User Agent in Browser settings. Additionally, the [UA Parser regexes](https://github.com/ua-parser/uap-core/blob/master/regexes.yaml) may not include all device information or Application Insights may not have adopted the latest updates.
+ ### <a name="q17"></a> Have I enabled everything in Application Insights? | What you should see | How to get it | Why you want it | | | | |
@@ -817,4 +823,4 @@ If your question isn't answered here, you can refer to the following forums to a
- [Log Analytics](/answers/topics/azure-monitor.html) - [Application Insights](/answers/topics/azure-monitor.html)
-For general feedback on Azure Monitor please visit the [feedback forum](https://feedback.azure.com/forums/34192--general-feedback).
\ No newline at end of file
+For general feedback on Azure Monitor please visit the [feedback forum](https://feedback.azure.com/forums/34192--general-feedback).
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/platform/itsmc-resync-servicenow https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/platform/itsmc-resync-servicenow.md a/articles/azure-monitor/platform/itsmc-resync-servicenow.md
@@ -17,16 +17,16 @@ Use the following synchronization process to reactivate the connection and refre
1. Search for the solution in the top search banner, then select the relevant solutions
- ![Screenshot that shows the top search banner and where to select the relevant solutions.](media/itsmc-resync-servicenow/solution-search-8bit.png)
+ ![Screenshot that shows the top search banner and where to select the relevant solutions.](media/itsmc-resync-servicenow/solution-search-8-bit.png)
1. In solution screen, choose "Select All" in the subscription filter and then filter by "ServiceDesk"
- ![Screenshot that shows where to choose Select All and where to filter by ServiceDesk.](media/itsmc-resync-servicenow/solutions-list-8bit.png)
+ ![Screenshot that shows where to choose Select All and where to filter by ServiceDesk.](media/itsmc-resync-servicenow/solutions-list-8-bit.png)
1. Select the solution of your ITSM connection. 1. Select ITSM connection in the left banner.
- ![Screenshot that shows where to select ITSM Connections.](media/itsmc-resync-servicenow/itsm-connector-8bit.png)
+ ![Screenshot that shows where to select ITSM Connections.](media/itsmc-resync-servicenow/itsm-connector-8-bit.png)
1. Select each connector from the list. 1. Click the Connector name in order to configure it
@@ -36,10 +36,10 @@ Use the following synchronization process to reactivate the connection and refre
1. Click on sync
- ![Screenshot that highlights the Sync button.](media/itsmc-resync-servicenow/resync-8bit2.png)
+ ![Screenshot that highlights the Sync button.](media/itsmc-resync-servicenow/resync-8-bit-2.png)
1. Click on save
- ![New connection](media/itsmc-resync-servicenow/save-8bit.png)
+ ![New connection](media/itsmc-resync-servicenow/save-8-bit.png)
f. Review the notifications to see if the process started.
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/platform/logs-data-export https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/platform/logs-data-export.md a/articles/azure-monitor/platform/logs-data-export.md
@@ -14,7 +14,7 @@ Last updated 10/14/2020
Log Analytics workspace data export in Azure Monitor allows you to continuously export data from selected tables in your Log Analytics workspace to an Azure storage account or Azure Event Hubs as it's collected. This article provides details on this feature and steps to configure data export in your workspaces. ## Overview
-Once data export is configured for your Log Analytics workspace, any new data sent to the selected tables in the workspace is automatically exported to your storage account hourly or to your event hub in near-real-time.
+Once data export is configured for your Log Analytics workspace, any new data sent to the selected tables in the workspace is automatically exported to your storage account or to your event hub in near-real-time.
![Data export overview](media/logs-data-export/data-export-overview.png)
@@ -63,7 +63,7 @@ There are currently no additional charges for the data export feature. Pricing f
## Export destinations ### Storage account
-Data is sent to storage accounts every hour. The data export configuration creates a container for each table in the storage account with the name *am-* followed by the name of the table. For example, the table *SecurityEvent* would sent to a container named *am-SecurityEvent*.
+Data is sent to storage accounts in near-real-time as it reaches Azure Monitor. The data export configuration creates a container for each table in the storage account with the name *am-* followed by the name of the table. For example, the table *SecurityEvent* would sent to a container named *am-SecurityEvent*.
The storage account blob path is *WorkspaceResourceId=/subscriptions/subscription-id/resourcegroups/\<resource-group\>/providers/microsoft.operationalinsights/workspaces/\<workspace\>/y=\<four-digit numeric year\>/m=\<two-digit numeric month\>/d=\<two-digit numeric day\>/h=\<two-digit 24-hour clock hour\>/m=00/PT1H.json*. Since append blobs are limited to 50K writes in storage, the number of exported blobs may extend if the number of appends is high. The naming pattern for blobs in such a case would be PT1H_#.json, where # is the incremental blob count.
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/platform/metrics-charts https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/platform/metrics-charts.md a/articles/azure-monitor/platform/metrics-charts.md
@@ -125,16 +125,19 @@ You can apply filters to charts whose metrics have dimensions. For example, imag
![Screenshot that shows the dimensions (properties) you can filter.](./media/metrics-charts/028.png)
-3. Select the dimension values you want to include when you plot the chart. The following example filters out the successful storage transactions:
+3. Select the operator you want to apply against the dimension (property). The default operator is = (equals)
+
+ ![Screenshot that shows the operator you can use with the filter.](./media/metrics-charts/filter-operator.png)
+
+4. Select which dimension values you want to apply to the filter when plotting the chart (this example shows filtering out the successful storage transactions):
![Screenshot that shows the successful filtered storage transactions.](./media/metrics-charts/029.png)
-4. Select outside the **Filter Selector** to close it. Now the chart shows how many storage transactions have failed:
+5. After selecting the filter values, click away from the Filter Selector to close it. Now the chart shows how many storage transactions have failed:
![Screenshot that shows how many storage transactions have failed.](./media/metrics-charts/030.png)
-You can repeat these steps to apply multiple filters to the same charts.
-
+6. You can repeat steps 1-5 to apply multiple filters to the same charts.
## Metric splitting
@@ -154,9 +157,18 @@ You can split a metric by dimension to visualize how different segments of the m
The chart now shows multiple lines, one for each dimension segment:
- ![Screenshot that shows lines for each dimension segment.](./media/metrics-charts/032.png)
+ ![Screenshot that shows multiple lines, one for each segment of dimension.](./media/metrics-charts/segment-dimension.png)
+
+3. Choose a limit on the number of values to be displayed after splitting by selected dimension. The default limit is 10 as shown in the above chart. The range of limit is 1 - 50.
+
+ ![Screenshot that shows split limit, which restricts the number of values after splitting.](./media/metrics-charts/segment-dimension-limit.png)
+
+4. Choose the sort order on segments: Ascending or Descending. The default selection is descending.
+
+ ![Screenshot that shows sort order on split values.](./media/metrics-charts/segment-dimension-sort.png)
-3. Select outside the **Grouping Selector** to close it.
+5. Click away from the **Grouping Selector** to close it.
+
> [!NOTE] > To hide segments that are irrelevant for your scenario and to make your charts easier to read, use both filtering and splitting on the same dimension.
@@ -228,4 +240,4 @@ If you don't see any data on your chart, review the following troubleshooting in
To create actionable dashboards by using metrics, see [Creating custom KPI dashboards](../learn/tutorial-app-dashboards.md).
-
\ No newline at end of file
+
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/platform/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/platform/security-controls-policy.md a/articles/azure-monitor/platform/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure Monitor description: Lists Azure Policy Regulatory Compliance controls available for Azure Monitor. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/samples/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/samples/policy-reference.md a/articles/azure-monitor/samples/policy-reference.md
@@ -1,7 +1,7 @@
Title: Built-in policy definitions for Azure Monitor description: Lists Azure Policy built-in policy definitions for Azure Monitor. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
azure-monitor https://docs.microsoft.com/en-us/azure/azure-monitor/visualizations https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-monitor/visualizations.md a/articles/azure-monitor/visualizations.md
@@ -5,7 +5,7 @@
Previously updated : 03/17/2020 Last updated : 01/25/2021
@@ -42,9 +42,9 @@ Here is a video walkthrough on creating dashboards.
> [!VIDEO https://www.microsoft.com/en-us/videoplayer/embed/RE4AslH] ### Advantages-- Deep integration into Azure. Visualizations can be pinned to dashboards from multiple Azure pages including Metrics Explorer, Log Analytics, and Application Insights.
+- Deep integration into Azure. Visualizations can be pinned to dashboards from multiple Azure pages including [Metrics Explorer](platform/metrics-charts.md), [Log Analytics](log-query/log-analytics-overview.md), and [Application Insights](app/app-insights-overview.md).
- Supports both metrics and logs.-- Combine data from multiple sources including output from [metrics explorer](platform/metrics-charts.md), [Log queries](log-query/log-query-overview.md), and [maps](app/app-map.md) and availability in Application Insights.
+- Combine data from multiple sources including output from [Metrics Explorer](platform/metrics-charts.md), [Log queries](log-query/log-query-overview.md), and [maps](app/app-map.md) and availability in [Application Insights](app/app-insights-overview.md).
- Option for personal or shared dashboards. Integrated with [Azure role-based access control (Azure RBAC)](../role-based-access-control/overview.md). - Automatic refresh. Metrics refresh depends on time range with minimum of five minutes. Logs refresh every hour, with a manual refresh option on demand by clicking the "refresh" icon on a given visualization, or by refreshing the full dashboard. - Parametrized metrics dashboards with timestamp and custom parameters.
@@ -53,7 +53,7 @@ Here is a video walkthrough on creating dashboards.
### Limitations-- Limited control over log visualizations with no support for data tables. Total number of data series is limited to 10 with further data series grouped under an _other_ bucket.
+- Limited control over log visualizations with no support for data tables. Total number of data series is limited to 50 with further data series grouped under an _other_ bucket.
- No custom parameters support for log charts. - Log charts are limited to last 30 days. - Log charts can only be pinned to shared dashboards.
@@ -136,8 +136,9 @@ You can access data in log and metric data in Azure Monitor through their API us
## Next steps - Learn about the [data collected by Azure Monitor](platform/data-platform.md). - Learn about [Azure dashboards](../azure-portal/azure-portal-dashboards.md).-- Learn about [Views in Azure Monitor](platform/view-designer.md).
+- Learn about [Metrics Explorer](platform/metrics-getting-started.md)
- Learn about [Workbooks](./platform/workbooks-overview.md). - Learn about [import log data into Power BI](./platform/powerbi.md). - Learn about the [Grafana Azure Monitor data source plugin](./platform/grafana-plugin.md).
+- Learn about [Views in Azure Monitor](platform/view-designer.md).
azure-netapp-files https://docs.microsoft.com/en-us/azure/azure-netapp-files/azure-netapp-files-faqs https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/azure-netapp-files-faqs.md a/articles/azure-netapp-files/azure-netapp-files-faqs.md
@@ -258,7 +258,7 @@ No. Azure Import/Export service does not support Azure NetApp Files currently.
### Can I use Azure NetApp Files NFS or SMB volumes with Azure VMware Solution (AVS)?
-You can mount Azure NetApp Files NFS volumes on AVS Windows VMs or Linux VMs. You can map Azure NetApp Files SMB shares on AVS Windows VMs. For more details, see [Azure NetApp Files with Azure VMware Solution]( ../azure-vmware/net-app-files-with-azure-vmware-solution.md).
+You can mount Azure NetApp Files NFS volumes on AVS Windows VMs or Linux VMs. You can map Azure NetApp Files SMB shares on AVS Windows VMs. For more details, see [Azure NetApp Files with Azure VMware Solution]( ../azure-vmware/netapp-files-with-azure-vmware-solution.md).
### What regions are supported for using Azure NetApp Files NFS or SMB volumes with Azure VMware Solution (AVS)?
azure-netapp-files https://docs.microsoft.com/en-us/azure/azure-netapp-files/azure-netapp-files-solution-architectures https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-netapp-files/azure-netapp-files-solution-architectures.md a/articles/azure-netapp-files/azure-netapp-files-solution-architectures.md
@@ -91,7 +91,7 @@ This section provides references to SAP on Azure solutions.
## Azure VMware Solutions
-* [Azure NetApp Files with Azure VMware Solution - Guest OS Mounts](../azure-vmware/net-app-files-with-azure-vmware-solution.md)
+* [Azure NetApp Files with Azure VMware Solution - Guest OS Mounts](../azure-vmware/netapp-files-with-azure-vmware-solution.md)
## Virtual Desktop Infrastructure solutions
azure-portal https://docs.microsoft.com/en-us/azure/azure-portal/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-portal/policy-reference.md a/articles/azure-portal/policy-reference.md
@@ -1,7 +1,7 @@
Title: Built-in policy definitions for Azure portal description: Lists Azure Policy built-in policy definitions for Azure portal. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
azure-resource-manager https://docs.microsoft.com/en-us/azure/azure-resource-manager/custom-providers/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/custom-providers/policy-reference.md a/articles/azure-resource-manager/custom-providers/policy-reference.md
@@ -1,7 +1,7 @@
Title: Built-in policy definitions for Azure Custom Resource Providers description: Lists Azure Policy built-in policy definitions for Azure Custom Resource Providers. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
azure-resource-manager https://docs.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/managed-applications/policy-reference.md a/articles/azure-resource-manager/managed-applications/policy-reference.md
@@ -1,7 +1,7 @@
Title: Built-in policy definitions for Azure Managed Applications description: Lists Azure Policy built-in policy definitions for Azure Managed Applications. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
azure-resource-manager https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/azure-subscription-service-limits.md a/articles/azure-resource-manager/management/azure-subscription-service-limits.md
@@ -397,7 +397,7 @@ For more information, see [Virtual machine sizes](../../virtual-machines/sizes.m
#### Disk encryption sets
-There's a limitation of 50 disk encryption sets per region, per subscription. For more
+There's a limitation of 1000 disk encryption sets per region, per subscription. For more
information, see the encryption documentation for [Linux](../../virtual-machines/disk-encryption.md#restrictions) or [Windows](../../virtual-machines/disk-encryption.md#restrictions) virtual machines. If you
@@ -450,4 +450,4 @@ There are limits, per subscription, for deploying resources using Shared Image G
* [Understand Azure limits and increases](https://azure.microsoft.com/blog/2014/06/04/azure-limits-quotas-increase-requests/) * [Virtual machine and cloud service sizes for Azure](../../virtual-machines/sizes.md?toc=%2fazure%2fvirtual-machines%2flinux%2ftoc.json) * [Sizes for Azure Cloud Services](../../cloud-services/cloud-services-sizes-specs.md)
-* [Naming rules and restrictions for Azure resources](resource-name-rules.md)
\ No newline at end of file
+* [Naming rules and restrictions for Azure resources](resource-name-rules.md)
azure-resource-manager https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/lock-resources https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/lock-resources.md a/articles/azure-resource-manager/management/lock-resources.md
@@ -33,7 +33,7 @@ Applying locks can lead to unexpected results because some operations that don't
* A cannot-delete lock on a **resource group** prevents Azure Resource Manager from [automatically deleting deployments](../templates/deployment-history-deletions.md) in the history. If you reach 800 deployments in the history, your deployments will fail.
-* A cannot-delete lock on the **resource group** created by **Azure Backup Service** causes backups to fail. The service supports a maximum of 18 restore points. When locked, the backup service can't clean up restore points. For more information, see [Frequently asked questions-Back up Azure VMs](../../backup/backup-azure-vm-backup-faq.md).
+* A cannot-delete lock on the **resource group** created by **Azure Backup Service** causes backups to fail. The service supports a maximum of 18 restore points. When locked, the backup service can't clean up restore points. For more information, see [Frequently asked questions-Back up Azure VMs](../../backup/backup-azure-vm-backup-faq.yml).
* A read-only lock on a **subscription** prevents **Azure Advisor** from working correctly. Advisor is unable to store the results of its queries.
azure-resource-manager https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/policy-reference.md a/articles/azure-resource-manager/management/policy-reference.md
@@ -1,7 +1,7 @@
Title: Built-in policy definitions for Azure Resource Manager description: Lists Azure Policy built-in policy definitions for Azure Resource Manager. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
azure-resource-manager https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/region-move-support https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/region-move-support.md a/articles/azure-resource-manager/management/region-move-support.md
@@ -16,32 +16,44 @@ Jump to a resource provider namespace:
> [!div class="op_single_selector"] > - [Microsoft.AAD](#microsoftaad) > - [microsoft.aadiam](#microsoftaadiam)
+> - [Microsoft.Addons](#microsoftaddons)
+> - [Microsoft.ADHybridHealthService](#microsoftadhybridhealthservice)
+> - [Microsoft.Advisor](#microsoftadvisor)
> - [Microsoft.AlertsManagement](#microsoftalertsmanagement) > - [Microsoft.AnalysisServices](#microsoftanalysisservices) > - [Microsoft.ApiManagement](#microsoftapimanagement) > - [Microsoft.AppConfiguration](#microsoftappconfiguration)
+> - [Microsoft.AppPlatform](#microsoftappplatform)
> - [Microsoft.AppService](#microsoftappservice)
+> - [Microsoft.Attestation](#microsoftattestation)
> - [Microsoft.Authorization](#microsoftauthorization) > - [Microsoft.Automation](#microsoftautomation)
+> - [Microsoft.AVS](#microsoftavs)
> - [Microsoft.AzureActiveDirectory](#microsoftazureactivedirectory) > - [Microsoft.AzureData](#microsoftazuredata) > - [Microsoft.AzureStack](#microsoftazurestack)
+> - [Microsoft.AzureStackHCI](#microsoftazurestackhci)
> - [Microsoft.Batch](#microsoftbatch)
-> - [Microsoft.BatchAI](#microsoftbatchai)
+> - [Microsoft.Billing](#microsoftbilling)
> - [Microsoft.BingMaps](#microsoftbingmaps) > - [Microsoft.BizTalkServices](#microsoftbiztalkservices) > - [Microsoft.Blockchain](#microsoftblockchain)
+> - [Microsoft.BlockchainTokens](#microsoftblockchaintokens)
> - [Microsoft.Blueprint](#microsoftblueprint) > - [Microsoft.BotService](#microsoftbotservice) > - [Microsoft.Cache](#microsoftcache)
+> - [Microsoft.Capacity](#microsoftcapacity)
> - [Microsoft.Cdn](#microsoftcdn) > - [Microsoft.CertificateRegistration](#microsoftcertificateregistration) > - [Microsoft.ClassicCompute](#microsoftclassiccompute)
+> - [Microsoft.ClassicInfrastructureMigrate](#microsoftclassicinfrastructuremigrate)
> - [Microsoft.ClassicNetwork](#microsoftclassicnetwork) > - [Microsoft.ClassicStorage](#microsoftclassicstorage)
+> - [Microsoft.ClassicSubscription](#microsoftclassicsubscription)
> - [Microsoft.CognitiveServices](#microsoftcognitiveservices)
+> - [Microsoft.Commerce](#microsoftcommerce)
> - [Microsoft.Compute](#microsoftcompute)
-> - [Microsoft.Container](#microsoftcontainer)
+> - [Microsoft.Consumption](#microsoftconsumption)
> - [Microsoft.ContainerInstance](#microsoftcontainerinstance) > - [Microsoft.ContainerRegistry](#microsoftcontainerregistry) > - [Microsoft.ContainerService](#microsoftcontainerservice)
@@ -49,6 +61,7 @@ Jump to a resource provider namespace:
> - [Microsoft.CortanaAnalytics](#microsoftcortanaanalytics) > - [Microsoft.CostManagement](#microsoftcostmanagement) > - [Microsoft.CustomerInsights](#microsoftcustomerinsights)
+> - [Microsoft.CustomerLockbox](#microsoftcustomerlockbox)
> - [Microsoft.CustomProviders](#microsoftcustomproviders) > - [Microsoft.DataBox](#microsoftdatabox) > - [Microsoft.DataBoxEdge](#microsoftdataboxedge)
@@ -61,30 +74,43 @@ Jump to a resource provider namespace:
> - [Microsoft.DataLakeAnalytics](#microsoftdatalakeanalytics) > - [Microsoft.DataLakeStore](#microsoftdatalakestore) > - [Microsoft.DataMigration](#microsoftdatamigration)
+> - [Microsoft.DataProtection](#microsoftdataprotection)
> - [Microsoft.DataShare](#microsoftdatashare) > - [Microsoft.DBforMariaDB](#microsoftdbformariadb) > - [Microsoft.DBforMySQL](#microsoftdbformysql) > - [Microsoft.DBforPostgreSQL](#microsoftdbforpostgresql) > - [Microsoft.DeploymentManager](#microsoftdeploymentmanager)
+> - [Microsoft.DesktopVirtualization](#microsoftdesktopvirtualization)
> - [Microsoft.Devices](#microsoftdevices)
+> - [Microsoft.DevOps](#microsoftdevops)
> - [Microsoft.DevSpaces](#microsoftdevspaces) > - [Microsoft.DevTestLab](#microsoftdevtestlab)
+> - [Microsoft.DigitalTwins](#microsoftdigitaltwins)
> - [Microsoft.DocumentDB](#microsoftdocumentdb) > - [Microsoft.DomainRegistration](#microsoftdomainregistration) > - [Microsoft.EnterpriseKnowledgeGraph](#microsoftenterpriseknowledgegraph) > - [Microsoft.EventGrid](#microsofteventgrid) > - [Microsoft.EventHub](#microsofteventhub)
+> - [Microsoft.Experimentation](#microsoftexperimentation)
+> - [Microsoft.Falcon](#microsoftfalcon)
+> - [Microsoft.Features](#microsoftfeatures)
> - [Microsoft.Genomics](#microsoftgenomics)
+> - [Microsoft.GuestConfiguration](#microsoftguestconfiguration)
> - [Microsoft.HanaOnAzure](#microsofthanaonazure)
+> - [Microsoft.HardwareSecurityModules](#microsofthardwaresecuritymodules)
> - [Microsoft.HDInsight](#microsofthdinsight) > - [Microsoft.HealthcareApis](#microsofthealthcareapis) > - [Microsoft.HybridCompute](#microsofthybridcompute) > - [Microsoft.HybridData](#microsofthybriddata)
+> - [Microsoft.HybridNetwork](#microsofthybridnetwork)
+> - [Microsoft.Hydra](#microsofthydra)
> - [Microsoft.ImportExport](#microsoftimportexport) > - [microsoft.insights](#microsoftinsights) > - [Microsoft.IoTCentral](#microsoftiotcentral) > - [Microsoft.IoTSpaces](#microsoftiotspaces) > - [Microsoft.KeyVault](#microsoftkeyvault)
+> - [Microsoft.Kubernetes](#microsoftkubernetes)
+> - [Microsoft.KubernetesConfiguration](#microsoftkubernetesconfiguration)
> - [Microsoft.Kusto](#microsoftkusto) > - [Microsoft.LabServices](#microsoftlabservices) > - [Microsoft.LocationBasedServices](#microsoftlocationbasedservices)
@@ -94,42 +120,56 @@ Jump to a resource provider namespace:
> - [Microsoft.MachineLearningCompute](#microsoftmachinelearningcompute) > - [Microsoft.MachineLearningExperimentation](#microsoftmachinelearningexperimentation) > - [Microsoft.MachineLearningModelManagement](#microsoftmachinelearningmodelmanagement)
-> - [Microsoft.MachineLearningOperationalization](#microsoftmachinelearningoperationalization)
> - [Microsoft.MachineLearningServices](#microsoftmachinelearningservices)
+> - [Microsoft.Maintenance](#microsoftmaintenance)
> - [Microsoft.ManagedIdentity](#microsoftmanagedidentity)
+> - [Microsoft.ManagedNetwork](#microsoftmanagednetwork)
+> - [Microsoft.ManagedServices](#microsoftmanagedservices)
+> - [Microsoft.Management](#microsoftmanagement)
> - [Microsoft.Maps](#microsoftmaps)
+> - [Microsoft.Marketplace](#microsoftmarketplace)
> - [Microsoft.MarketplaceApps](#microsoftmarketplaceapps)
+> - [Microsoft.MarketplaceOrdering](#microsoftmarketplaceordering)
> - [Microsoft.Media](#microsoftmedia) > - [Microsoft.Microservices4Spring](#microsoftmicroservices4spring) > - [Microsoft.Migrate](#microsoftmigrate)
+> - [Microsoft.MixedReality](#microsoftmixedreality)
> - [Microsoft.NetApp](#microsoftnetapp) > - [Microsoft.Network](#microsoftnetwork) > - [Microsoft.NotificationHubs](#microsoftnotificationhubs)
+> - [Microsoft.ObjectStore](#microsoftobjectstore)
+> - [Microsoft.OffAzure](#microsoftoffazure)
> - [Microsoft.OperationalInsights](#microsoftoperationalinsights) > - [Microsoft.OperationsManagement](#microsoftoperationsmanagement) > - [Microsoft.Peering](#microsoftpeering)
+> - [Microsoft.PolicyInsights](#microsoftpolicyinsights)
> - [Microsoft.Portal](#microsoftportal)
-> - [Microsoft.PortalSdk](#microsoftportalsdk)
> - [Microsoft.PowerBI](#microsoftpowerbi) > - [Microsoft.PowerBIDedicated](#microsoftpowerbidedicated)
-> - [Microsoft.ProjectOxford](#microsoftprojectoxford)
+> - [Microsoft.ProjectBabylon](#microsoftprojectbabylon)
+> - [Microsoft.ProviderHub](#microsoftproviderhub)
+> - [Microsoft.Quantum](#microsoftquantum)
> - [Microsoft.RecoveryServices](#microsoftrecoveryservices)
+> - [Microsoft.RedHatOpenShift](#microsoftredhatopenshift)
> - [Microsoft.Relay](#microsoftrelay) > - [Microsoft.ResourceGraph](#microsoftresourcegraph)
+> - [Microsoft.ResourceHealth](#microsoftresourcehealth)
> - [Microsoft.Resources](#microsoftresources) > - [Microsoft.SaaS](#microsoftsaas)
-> - [Microsoft.Scheduler](#microsoftscheduler)
> - [Microsoft.Search](#microsoftsearch) > - [Microsoft.Security](#microsoftsecurity)
+> - [Microsoft.SecurityInsights](#microsoftsecurityinsights)
+> - [Microsoft.SerialConsole](#microsoftserialconsole)
> - [Microsoft.ServerManagement](#microsoftservermanagement) > - [Microsoft.ServiceBus](#microsoftservicebus) > - [Microsoft.ServiceFabric](#microsoftservicefabric) > - [Microsoft.ServiceFabricMesh](#microsoftservicefabricmesh)
+> - [Microsoft.Services](#microsoftservices)
> - [Microsoft.SignalRService](#microsoftsignalrservice)
+> - [Microsoft.SoftwarePlan](#microsoftsoftwareplan)
> - [Microsoft.Solutions](#microsoftsolutions) > - [Microsoft.Sql](#microsoftsql) > - [Microsoft.SqlVirtualMachine](#microsoftsqlvirtualmachine)
-> - [Microsoft.SqlVM](#microsoftsqlvm)
> - [Microsoft.Storage](#microsoftstorage) > - [Microsoft.StorageCache](#microsoftstoragecache) > - [Microsoft.StorageSync](#microsoftstoragesync)
@@ -138,30 +178,73 @@ Jump to a resource provider namespace:
> - [Microsoft.StorSimple](#microsoftstorsimple) > - [Microsoft.StreamAnalytics](#microsoftstreamanalytics) > - [Microsoft.StreamAnalyticsExplorer](#microsoftstreamanalyticsexplorer)
-> - [Microsoft.TerraformOSS](#microsoftterraformoss)
+> - [Microsoft.Subscription](#microsoftsubscription)
+> - [microsoft.support](#microsoftsupport)
+> - [Microsoft.Synapse](#microsoftsynapse)
> - [Microsoft.TimeSeriesInsights](#microsofttimeseriesinsights) > - [Microsoft.Token](#microsofttoken) > - [Microsoft.VirtualMachineImages](#microsoftvirtualmachineimages) > - [microsoft.visualstudio](#microsoftvisualstudio)
+> - [Microsoft.VMware](#microsoftvmware)
> - [Microsoft.VMwareCloudSimple](#microsoftvmwarecloudsimple)
+> - [Microsoft.VnfManager](#microsoftvnfmanager)
+> - [Microsoft.VSOnline](#microsoftvsonline)
> - [Microsoft.Web](#microsoftweb)
+> - [Microsoft.WindowsESU](#microsoftwindowsesu)
> - [Microsoft.WindowsIoT](#microsoftwindowsiot)
-> - [Microsoft.WindowsVirtualDesktop](#microsoftwindowsvirtualdesktop)
+> - [Microsoft.WorkloadBuilder](#microsoftworkloadbuilder)
+> - [Microsoft.WorkloadMonitor](#microsoftworkloadmonitor)
## Microsoft.AAD > [!div class="mx-tableFixed"] > | Resource type | Region move |
-> | - | -- |
+> | - | -- |
> | domainservices | No |
-> | domainservices / replicasets | No |
+ ## microsoft.aadiam > [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- |
-> | tenants | No |
+> | diagnosticsettings | No |
+> | diagnosticsettingscategories | No |
+> | privatelinkforazuread | No |
+> | tenants | No |
+
+## microsoft.Addons
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | supportproviders | No |
+
+## Microsoft.ADHybridHealthService
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | aadsupportcases | No |
+> | addsservices | No |
+> | agents | No |
+> | anonymousapiusers | No |
+> | configuration | No |
+> | logs | No |
+> | reports | No |
+> | servicehealthmetrics | No |
+> | services | No |
+
+## Microsoft.Advisor
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | configurations | No |
+> | generaterecommendations | No |
+> | metadata | No |
+> | recommendations | No |
+> | suppressions | No |
## Microsoft.AlertsManagement
@@ -169,6 +252,13 @@ Jump to a resource provider namespace:
> | Resource type | Region move | > | - | -- | > | actionrules | No |
+> | alerts | No |
+> | alertslist | No |
+> | alertsmetadata | No |
+> | alertssummary | No |
+> | alertssummarylist | No |
+> | smartdetectoralertrules | No |
+> | smartgroups | No |
## Microsoft.AnalysisServices
@@ -182,6 +272,7 @@ Jump to a resource provider namespace:
> [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- |
+> | reportfeedback | No |
> | service | Yes (using template) <br/><br/> [Move API Management across regions](../../api-management/api-management-howto-migrate.md). | ## Microsoft.AppConfiguration
@@ -190,6 +281,14 @@ Jump to a resource provider namespace:
> | Resource type | Region move | > | - | -- | > | configurationstores | No |
+> | configurationstores / eventgridfilters | No |
+
+## Microsoft.AppPlatform
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | spring | No |
## Microsoft.AppService
@@ -200,13 +299,33 @@ Jump to a resource provider namespace:
> | appidentities | No | > | gateways | No |
+## Microsoft.Attestation
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | attestationproviders | No |
## Microsoft.Authorization > [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- |
-> | policyassignments | No |
+> | classicadministrators | No |
+> | dataaliases | No |
+> | denyassignments | No |
+> | elevateaccess | No |
+> | findorphanroleassignments | No |
+> | locks | No |
+> | permissions | No |
+> | policyassignments | No |
+> | policydefinitions | No |
+> | policysetdefinitions | No |
+> | privatelinkassociations | No |
+> | resourcemanagementprivatelinks | No |
+> | roleassignments | No |
+> | roleassignmentsusagemetrics | No |
+> | roledefinitions | No |
## Microsoft.Automation
@@ -217,6 +336,12 @@ Jump to a resource provider namespace:
> | automationaccounts / configurations | No | > | automationaccounts / runbooks | No |
+## Microsoft.AVS
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move | Subscription |
+> | - | -- |
+> | privateclouds | No |
## Microsoft.AzureActiveDirectory
@@ -225,12 +350,19 @@ Jump to a resource provider namespace:
> | Resource type | Region move | > | - | -- | > | b2cdirectories | No |
+> | b2ctenants | No |
## Microsoft.AzureData > [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- |
+> | datacontrollers | No |
+> | hybriddatamanagers | No |
+> | postgresinstances | No |
+> | sqlinstances | No |
+> | sqlmanagedinstances | No |
+> | sqlserverinstances | No |
> | sqlserverregistrations | No | ## Microsoft.AzureStack
@@ -238,8 +370,16 @@ Jump to a resource provider namespace:
> [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- |
+> | cloudmanifestfiles | No |
> | registrations | No |
+## Microsoft.AzureStackHCI
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | clusters | No |
+ ## Microsoft.Batch > [!div class="mx-tableFixed"]
@@ -247,15 +387,21 @@ Jump to a resource provider namespace:
> | - | -- | > | batchaccounts | Batch accounts can't be moved directly from one region to another, but you can use a template to export a template, modify it, and deploy the template to the new region. <br/><br/> Learn about [moving a Batch account across regions](../../batch/best-practices.md#moving-batch-accounts-across-regions) |
-## Microsoft.BatchAI
+## Microsoft.Billing
> [!div class="mx-tableFixed"] > | Resource type | Region move |
-> | - | -- |
-> | clusters | No <br/><br/> The Azure Batch AI service is [retired](/previous-versions/azure/batch-ai/overview-what-happened-batch-ai).
-> | fileservers | No |
-> | jobs | No |
-> | workspaces | No |
+> | - | -- |
+> | billingaccounts | No |
+> | billingperiods | No |
+> | billingpermissions | No |
+> | billingproperty | No |
+> | billingroleassignments | No |
+> | billingroledefinitions | No |
+> | departments | No |
+> | enrollmentaccounts | No |
+> | invoices | No |
+> | transfers | No |
## Microsoft.BingMaps
@@ -277,14 +423,24 @@ Jump to a resource provider namespace:
> | Resource type | Region move | > | - | -- | > | blockchainmembers | No <br/><br/> The blockchain network can't have nodes in different regions.
+> | cordamembers | No |
> | watchers | No |
+## Microsoft.BlockchainTokens
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | tokenservices | No |
++ ## Microsoft.Blueprint > [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- | > | blueprintassignments | No |
+> | blueprints | No |
## Microsoft.BotService
@@ -299,7 +455,24 @@ Jump to a resource provider namespace:
> | Resource type | Region move | > | - | -- | > | redis | No |
+> | redisenterprise | No |
+
+## Microsoft.Capacity
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | appliedreservations | No |
+> | calculateexchange | No |
+> | calculateprice | No |
+> | calculatepurchaseprice | No |
+> | catalogs | No |
+> | commercialreservationorders | No |
+> | exchange | No |
+> | reservationorders | No |
+> | reservations | No |
+> | resources | No |
+> | validatereservationorder | No |
## Microsoft.Cdn
@@ -307,6 +480,7 @@ Jump to a resource provider namespace:
> | Resource type | Region move | > | - | -- | > | cdnwebapplicationfirewallpolicies | No |
+> | edgenodes | No
> | profiles | No | > | profiles / endpoints | No |
@@ -323,17 +497,31 @@ Jump to a resource provider namespace:
> [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- |
-> | domainnames | No work is planned for classic services.
-> | virtualmachines | No |
+> | capabilities | No |
+> | domainnames | Yes | No |
+> | quotas | No |
+> | resourcetypes | No |
+> | validatesubscriptionmoveavailability | No |
+> | virtualmachines | No
+## Microsoft.ClassicInfrastructureMigrate
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | classicinfrastructureresources | No |
## Microsoft.ClassicNetwork > [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- |
-> | networksecuritygroups | No work is planned for classic services.
+> | capabilities | No |
+> | expressroutecrossconnections | No |
+> | expressroutecrossconnections / peerings | No |
+> | gatewaysupporteddevices | No |
+> | networksecuritygroups | No |
+> | quotas | No |
> | reservedips | No | > | virtualnetworks | No |
@@ -342,8 +530,21 @@ Jump to a resource provider namespace:
> [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- |
+> | disks | No |
+> | images | No |
+> | osimages | No |
+> | osplatformimages | No |
+> | publicimages | No |
+> | quotas | No |
> | storageaccounts | Yes |
+> | vmimages | No |
+## Microsoft.ClassicSubscription
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | operations | No |
## Microsoft.CognitiveServices
@@ -353,12 +554,21 @@ Jump to a resource provider namespace:
> | accounts | No | > | Cognitive Search | Supported with manual steps.<br/><br/> Learn about [moving your Azure Cognitive Search service to another region](../../search/search-howto-move-across-regions.md)
+## Microsoft.Commerce
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | ratecard | No |
+> | usageaggregates | No |
+ ## Microsoft.Compute > [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- | > | availabilitysets | Yes <br/><br/> Use [Azure Resource Mover](../../resource-mover/tutorial-move-region-virtual-machines.md) to move availability sets. |
+> | diskaccesses | No |
> | diskencryptionsets | No | > | disks | Yes <br/><br/> Use [Azure Resource Mover](../../resource-mover/tutorial-move-region-virtual-machines.md) to move Azure VMs and related disks. | > | galleries | No |
@@ -372,16 +582,38 @@ Jump to a resource provider namespace:
> | sharedvmimages | No | > | sharedvmimages / versions | No | > | snapshots | No |
+> | sshpublickeys | No |
> | virtualmachines | Yes <br/><br/> Use [Azure Resource Mover](../../resource-mover/tutorial-move-region-virtual-machines.md) to move Azure VMs. | > | virtualmachines / extensions | No | > | virtualmachinescalesets | No |
-## Microsoft.Container
+## Microsoft.Consumption
> [!div class="mx-tableFixed"] > | Resource type | Region move |
-> | - | -- |
-> | containergroups | No |
+> | - | -- |
+> | aggregatedcost | No |
+> | balances | No |
+> | budgets | No |
+> | charges | No |
+> | costtags | No |
+> | credits | No |
+> | events | No |
+> | forecasts | No |
+> | lots | No |
+> | marketplaces | No |
+> | pricesheets | No |
+> | products | No |
+> | reservationdetails | No |
+> | reservationrecommendationdetails | No |
+> | reservationrecommendations | No |
+> | reservationsummaries | No |
+> | reservationtransactions | No |
+> | tags | No |
+> | tenants | No |
+> | terms | No |
+> | usagedetails | No |
+ ## Microsoft.ContainerInstance
@@ -389,6 +621,8 @@ Jump to a resource provider namespace:
> | Resource type | Region move | > | - | -- | > | containergroups | No |
+> | serviceassociationlinks | No |
+ ## Microsoft.ContainerRegistry
@@ -396,6 +630,7 @@ Jump to a resource provider namespace:
> | Resource type | Region move | > | - | -- | > | registries | No |
+> | registries / agentpools | No |
> | registries / buildtasks | No | > | registries / replications | No | > | registries / tasks | No |
@@ -406,7 +641,7 @@ Jump to a resource provider namespace:
> [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- |
-> | containerservices | No.<br/><br/> Service is [retired](https://azure.microsoft.com/updates/azure-container-service-will-retire-on-january-31-2020/).
+> | containerservices | No |
> | managedclusters | No | > | openshiftmanagedclusters | No |
@@ -429,7 +664,24 @@ Jump to a resource provider namespace:
> [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- |
-> | connectors | No |
+> | alerts | No |
+> | billingaccounts | No |
+> | budgets | No |
+> | cloudconnectors | No |
+> | connectors | No |
+> | departments | No |
+> | dimensions | No |
+> | enrollmentaccounts | No |
+> | exports | No |
+> | externalbillingaccounts | No |
+> | forecast | No |
+> | query | No |
+> | register | No |
+> | reportconfigs | No |
+> | reports | No |
+> | settings | No |
+> | showbackrules | No |
+> | views | No |
## Microsoft.CustomerInsights
@@ -438,11 +690,19 @@ Jump to a resource provider namespace:
> | - | -- | > | hubs | No |
+## Microsoft.CustomerLockbox
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | requests | No |
+ ## Microsoft.CustomProviders > [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- |
+> | associations | No |
> | resourceproviders | No | ## Microsoft.DataBox
@@ -457,6 +717,7 @@ Jump to a resource provider namespace:
> [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- |
+> | availableskus | No |
> | databoxedgedevices | No | ## Microsoft.Databricks
@@ -527,6 +788,13 @@ Jump to a resource provider namespace:
> | services / projects | No | > | slots | No |
+## Microsoft.DataProtection
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- | - |
+> | backupvaults | No |
+ ## Microsoft.DataShare > [!div class="mx-tableFixed"]
@@ -569,6 +837,15 @@ Jump to a resource provider namespace:
> | servicetopologies / services / serviceunits | No | > | steps | No | +
+## Microsoft.DesktopVirtualization
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | applicationgroups | No |
+> | workspaces | No |
+ ## Microsoft.Devices > [!div class="mx-tableFixed"]
@@ -579,6 +856,14 @@ Jump to a resource provider namespace:
> | iothubs | Yes. [Learn more](../../iot-hub/iot-hub-how-to-clone.md) > | provisioningservices | No |
+## Microsoft.DevOps
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | controllers | No |
++ ## Microsoft.DevSpaces > [!div class="mx-tableFixed"]
@@ -599,12 +884,20 @@ Jump to a resource provider namespace:
> | labs / virtualmachines | No | > | schedules | No |
+## Microsoft.DigitalTwins
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | digitaltwinsinstances | Yes, by recreating resources in new region. [Learn more](../../digital-twins/how-to-move-regions.md) |
+ ## Microsoft.DocumentDB > [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- | > | databaseaccounts | No |
+> | databaseaccounts | No |
## Microsoft.DomainRegistration
@@ -612,6 +905,9 @@ Jump to a resource provider namespace:
> | Resource type | Region move | > | - | -- | > | domains | No |
+> | generatessorequest | No |
+> | topleveldomains | No |
+> | validatedomainregistrationinformation | No |
## Microsoft.EnterpriseKnowledgeGraph
@@ -625,8 +921,15 @@ Jump to a resource provider namespace:
> [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- |
-> | domains | No |
+> | domains | No |
+> | eventsubscriptions | No |
+> | extensiontopics | No |
+> | partnernamespaces | No |
+> | partnerregistrations | No |
+> | partnertopics | No |
+> | systemtopics | No |
> | topics | No |
+> | topictypes | No |
## Microsoft.EventHub
@@ -635,6 +938,31 @@ Jump to a resource provider namespace:
> | - | -- | > | clusters | No | > | namespaces | Yes (with template)<br/><br/> [Move an Event Hub namespace to another region](../../event-hubs/move-across-regions.md) |
+> | sku | No |
+
+## Microsoft.Experimentation
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | experimentworkspaces | No |
+
+## Microsoft.Falcon
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | namespaces | No |
+
+## Microsoft.Features
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | featureproviders | No |
+> | features | No |
+> | providers | No |
+> | subscriptionfeatureregistrations | No |
## Microsoft.Genomics
@@ -643,6 +971,18 @@ Jump to a resource provider namespace:
> | - | -- | > | accounts | No |
+## Microsoft.GuestConfiguration
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | automanagedaccounts | No |
+> | automanagedvmconfigurationprofiles | No |
+> | guestconfigurationassignments | No |
+> | software | No |
+> | softwareupdateprofile | No |
+> | softwareupdates | No |
+ ## Microsoft.HanaOnAzure > [!div class="mx-tableFixed"]
@@ -651,6 +991,14 @@ Jump to a resource provider namespace:
> | hanainstances | No | > | sapmonitors | No |
+## Microsoft.HardwareSecurityModules
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | dedicatedhsms | No |
++ ## Microsoft.HDInsight > [!div class="mx-tableFixed"]
@@ -671,6 +1019,7 @@ Jump to a resource provider namespace:
> | Resource type | Region move | > | - | -- | > | machines | No |
+> | machines / extensions | No |
## Microsoft.HybridData
@@ -679,6 +1028,22 @@ Jump to a resource provider namespace:
> | - | -- | > | datamanagers | No |
+## Microsoft.HybridNetwork
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | devices | No |
+> | vnfs | No |
+
+## Microsoft.Hydra
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | components | No |
+> | networkscopes | No |
+ ## Microsoft.ImportExport > [!div class="mx-tableFixed"]
@@ -696,14 +1061,39 @@ Jump to a resource provider namespace:
> | activitylogalerts | No | > | alertrules | No | > | autoscalesettings | No |
+> | baseline | No |
> | components | No |
+> | datacollectionrules | No |
+> | diagnosticsettings | No |
+> | diagnosticsettingscategories | No |
+> | eventcategories | No |
+> | eventtypes | No |
+> | extendeddiagnosticsettings | No | |
> | guestdiagnosticsettings | No |
+> | listmigrationdate | No |
+> | logdefinitions | No |
+> | logprofiles | No |
+> | logs | No | No |
> | metricalerts | No |
+> | metricbaselines | No |
+> | metricbatch | No |
+> | metricdefinitions | No |
+> | metricnamespaces | No |
+> | metrics | No |
+> | migratealertrules | No |
+> | migratetonewpricingmodel | No |
+> | myworkbooks | No |
> | notificationgroups | No |
-> | notificationrules | No |
+> | privatelinkscopes | No |
+> | rollbacktolegacypricingmodel | No |
> | scheduledqueryrules | No |
+> | topology | No |
+> | transactions | No |
+> | vminsightsonboardingstatuses | No |
> | webtests | No |
+> | webtests / gettestresultfile | No |
> | workbooks | No |
+> | workbooktemplates | No |
## Microsoft.IoTCentral
@@ -711,8 +1101,10 @@ Jump to a resource provider namespace:
> [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- |
-> | checknameavailability | No.<br/><br/> IoT Central works with geographies, and not regions.
-> | graph | No
+> | apptemplates | No |
+> | iotapps | No |
++ ## Microsoft.IoTHub
@@ -724,19 +1116,34 @@ Jump to a resource provider namespace:
## Microsoft.IoTSpaces > [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | checknameavailability | No |
-> | graph | No |
+> | Resource type | Region Move |
+> | - | -- |
+> | graph | No |
## Microsoft.KeyVault > [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- |
+> | deletedvaults | No |
> | hsmpools | No |
+> | managedhsms | No |
> | vaults | No |
+## Microsoft.Kubernetes
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | connectedclusters | No |
+> | registeredsubscriptions | No |
+
+## Microsoft.KubernetesConfiguration
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | sourcecontrolconfigurations | No |
## Microsoft.Kusto
@@ -751,6 +1158,7 @@ Jump to a resource provider namespace:
> | Resource type | Region move | > | - | -- | > | labaccounts | No |
+> | users | No |
## Microsoft.LocationBasedServices
@@ -774,6 +1182,7 @@ Jump to a resource provider namespace:
> | hostingenvironments | No | > | integrationaccounts | No | > | integrationserviceenvironments | No |
+> | integrationserviceenvironments / managedapis | No |
> | isolatedenvironments | No | > | workflows | No |
@@ -799,11 +1208,8 @@ Jump to a resource provider namespace:
> | Resource type | Region move | > | - | -- | > | accounts | No |
-> | accounts / workspaces | No |
-> | accounts / workspaces / projects | No |
> | teamaccounts | No |
-> | teamaccounts / workspaces | No |
-> | teamaccounts / workspaces / projects | No |
+ ## Microsoft.MachineLearningModelManagement
@@ -812,40 +1218,98 @@ Jump to a resource provider namespace:
> | - | -- | > | accounts | No |
-## Microsoft.MachineLearningOperationalization
+
+## Microsoft.MachineLearningServices
> [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- |
-> | hostingaccounts | No |
+> | workspaces | No |
-## Microsoft.MachineLearningServices
+## Microsoft.Maintenance
> [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- |
-> | workspaces | No |
+> | configurationassignments | Yes. [Learn more](../../virtual-machines/move-region-maintenance-configuration.md) |
+> | maintenanceconfigurations | Yes. [Learn more](../../virtual-machines/move-region-maintenance-configuration-resources.md) |
+> | updates | No |
## Microsoft.ManagedIdentity > [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- |
+> | identities | No |
> | userassignedidentities | No |
+## Microsoft.ManagedNetwork
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | managednetworks | No |
+> | managednetworks / managednetworkgroups | No |
+> | managednetworks / managednetworkpeeringpolicies | No |
+> | notification | No |
+
+## Microsoft.ManagedServices
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | marketplaceregistrationdefinitions | No |
+> | registrationassignments | No |
+> | registrationdefinitions | No |
+
+## Microsoft.Management
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | getentities | No |
+> | managementgroups | No |
+> | managementgroups / settings | No |
+> | resources | No |
+> | starttenantbackfill | No |
+> | tenantbackfillstatus | No |
+ ## Microsoft.Maps > [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- | > | accounts | No, Azure Maps is a geospatial service.
+> | accounts / privateatlases | No
-## Microsoft.MarketplaceApps
+## Microsoft.Marketplace
> [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- |
-> | classicdevservices | No work is planned for classic services
+> | offers | No |
+> | offertypes | No |
+> | privategalleryitems | No |
+> | privatestoreclient | No |
+> | privatestores | No |
+> | products | No |
+> | publishers | No |
+> | register | No |
+
+## Microsoft.MarketplaceApps
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | classicdevservices | No |
+
+## Microsoft.MarketplaceOrdering
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | agreements | No |
+> | offertypes | No |
## Microsoft.Media
@@ -870,8 +1334,19 @@ Jump to a resource provider namespace:
> | - | -- | > | assessmentprojects | No | > | migrateprojects | No |
+> | movecollections | No
> | projects | No |
+## Microsoft.MixedReality
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- | - |
+> | holographicsbroadcastaccounts | No |
+> | objectunderstandingaccounts | No |
+> | remoterenderingaccounts | No |
+> | spatialanchorsaccounts | No |
+ ## Microsoft.NetApp > [!div class="mx-tableFixed"]
@@ -888,43 +1363,50 @@ Jump to a resource provider namespace:
> [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- |
-> | applicationgateways | No |
+> | applicationgateways | No |
> | applicationgatewaywebapplicationfirewallpolicies | No | > | applicationsecuritygroups | No | > | azurefirewalls | No | > | bastionhosts | No |
+> | bgpservicecommunities | No |
> | connections | No | > | ddoscustompolicies | No | > | ddosprotectionplans | No | > | dnszones | No | > | expressroutecircuits | No |
-> | expressroutecrossconnections | No |
> | expressroutegateways | No |
-> | expressrouteports | No |
+> | expressrouteserviceproviders | No |
+> | firewallpolicies | No |
> | frontdoors | No |
-> | frontdoorwebapplicationfirewallpolicies | No |
+> | ipallocations | No |
+> | ipgroups | No |
> | loadbalancers | Yes <br/><br/> Use [Azure Resource Mover](../../resource-mover/tutorial-move-region-virtual-machines.md) to move internal and external load balancers. | > | localnetworkgateways | No | > | natgateways | No |
+> | networkexperimentprofiles | No |
> | networkintentpolicies | No | > | networkinterfaces | Yes <br/><br/> Use [Azure Resource Mover](../../resource-mover/tutorial-move-region-virtual-machines.md) to move NICs. | > | networkprofiles | No | > | networksecuritygroups | Yes <br/><br/> Use [Azure Resource Mover](../../resource-mover/tutorial-move-region-virtual-machines.md) to move network security groups (NGSs). | > | networkwatchers | No | > | networkwatchers / connectionmonitors | No |
-> | networkwatchers / lenses | No |
+> | networkwatchers / flowlogs | No |
> | networkwatchers / pingmeshes | No | > | p2svpngateways | No | > | privatednszones | No |
-> | privatednszones / virtualnetworklinks | No |
+> | privatednszones / virtualnetworklinks | No |> | privatednszonesinternal | No |
+> | privateendpointredirectmaps | No |
> | privateendpoints | No | > | privatelinkservices | No | > | publicipaddresses | Yes<br/><br/> Use [Azure Resource Mover](../../resource-mover/tutorial-move-region-virtual-machines.md) to move public IP addresses. | > | publicipprefixes | No | > | routefilters | No | > | routetables | No |
+> | securitypartnerproviders | No |
> | serviceendpointpolicies | No |
+> | trafficmanagergeographichierarchies | No |
> | trafficmanagerprofiles | No |
+> | trafficmanagerusermetricskeys | No |
> | virtualhubs | No | > | virtualnetworkgateways | No | > | virtualnetworks | No |
@@ -932,7 +1414,7 @@ Jump to a resource provider namespace:
> | virtualwans | No | > | vpngateways (Virtual WAN) | No | > | vpnsites (Virtual WAN) | No |
-> | webapplicationfirewallpolicies | No |
+> | vpnsites (Virtual WAN) | No |
## Microsoft.NotificationHubs
@@ -943,12 +1425,33 @@ Jump to a resource provider namespace:
> | namespaces | No | > | namespaces / notificationhubs | No |
+## Microsoft.ObjectStore
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | osnamespaces | No |
+
+## Microsoft.OffAzure
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | hypervsites | No |
+> | importsites | No |
+> | serversites | No |
+> | vmwaresites | No |
+ ## Microsoft.OperationalInsights > [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- |
-> | workspaces | No |
+> | clusters | No |
+> | deletedworkspaces | No |
+> | linktargets | No |
+> | storageinsightconfigs | No |
+> | workspaces | No |
@@ -957,7 +1460,9 @@ Jump to a resource provider namespace:
> [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- |
+> | managementassociations | No |
> | managementconfigurations | No |
+> | solutions | No |
> | views | No | ## Microsoft.Peering
@@ -965,21 +1470,34 @@ Jump to a resource provider namespace:
> [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- |
+> | legacypeerings | No |
+> | peerasns | No |
+> | peeringlocations | No |
> | peerings | No |
+> | peeringservicecountries | No |
+> | peeringservicelocations | No |
+> | peeringserviceproviders | No |
+> | peeringservices | No |
-## Microsoft.Portal
+## Microsoft.PolicyInsights
> [!div class="mx-tableFixed"] > | Resource type | Region move |
-> | - | -- |
-> | dashboards | No |
+> | - | -- |
+> | policyevents | No |
+> | policystates | No |
+> | policytrackedresources | No |
+> | remediations | No |
-## Microsoft.PortalSdk
+## Microsoft.Portal
> [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- |
-> | rootresources | No |
+> | consoles | No |
+> | dashboards | No |
+> | usersettings | No |
+ ## Microsoft.PowerBI
@@ -995,20 +1513,43 @@ Jump to a resource provider namespace:
> | - | -- | > | capacities | No |
-## Microsoft.ProjectOxford
+## Microsoft.ProjectBabylon
> [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- | > | accounts | No |
+## Microsoft.ProviderHub
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | availableaccounts | No |
+> | providerregistrations | No |
+> | rollouts | No |
+
+## Microsoft.Quantum
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | workspaces | No |
+ ## Microsoft.RecoveryServices > [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- |
+> | replicationeligibilityresults | No |
> | vaults | No.<br/><br/> Moving Recovery Services vaults for Azure Backup across Azure regions isn't supported.<br/><br/> In Recovery Services vaults for Azure Site Recovery, you can [disable and recreate the vault](../../site-recovery/move-vaults-across-regions.md) in the target region. |
+## Microsoft.RedHatOpenShift
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | openshiftclusters | No |
## Microsoft.Relay
@@ -1023,6 +1564,22 @@ Jump to a resource provider namespace:
> | Resource type | Region move | > | - | -- | > | queries | No |
+> | resourcechangedetails | No |
+> | resourcechanges | No |
+> | resources | No |
+> | resourceshistory | No |
+> | subscriptionsstatus | No |
+
+## Microsoft.ResourceHealth
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | childresources | No |
+> | emergingissues | No |
+> | events | No |
+> | metadata | No |
+> | notifications | No |
## Microsoft.Resources
@@ -1038,20 +1595,15 @@ Jump to a resource provider namespace:
> | Resource type | Region move | > | - | -- | > | applications | No |
+> | saasresources | No |
-## Microsoft.Scheduler
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | flows | No |
-> | jobcollections | No |
## Microsoft.Search > [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- |
+> | resourcehealthmetadata | No |
> | searchservices | No |
@@ -1060,8 +1612,69 @@ Jump to a resource provider namespace:
> [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- |
-> | iotsecuritysolutions | No |
-> | playbookconfigurations | No |
+> | adaptivenetworkhardenings | No |
+> | advancedthreatprotectionsettings | No |
+> | alerts | No |
+> | allowedconnections | No |
+> | applicationwhitelistings | No |
+> | assessmentmetadata | No |
+> | assessments | No |
+> | autodismissalertsrules | No |
+> | automations | No |
+> | autoprovisioningsettings | No |
+> | complianceresults | No |
+> | compliances | No |
+> | datacollectionagents | No |
+> | devicesecuritygroups | No |
+> | discoveredsecuritysolutions | No |
+> | externalsecuritysolutions | No |
+> | informationprotectionpolicies | No |
+> | iotsecuritysolutions | No |
+> | iotsecuritysolutions / analyticsmodels | No |
+> | iotsecuritysolutions / analyticsmodels / aggregatedalerts | No |
+> | iotsecuritysolutions / analyticsmodels / aggregatedrecommendations | No |
+> | jitnetworkaccesspolicies | No |
+> | policies | No |
+> | pricings | No |
+> | regulatorycompliancestandards | No |
+> | regulatorycompliancestandards / regulatorycompliancecontrols | No |
+> | regulatorycompliancestandards / regulatorycompliancecontrols / regulatorycomplianceassessments | No |
+> | securitycontacts | No |
+> | securitysolutions | No |
+> | securitysolutionsreferencedata | No |
+> | securitystatuses | No |
+> | securitystatusessummaries | No |
+> | servervulnerabilityassessments | No |
+> | settings | No |
+> | subassessments | No |
+> | tasks | No |
+> | topologies | No |
+> | workspacesettings | No |
+
+## Microsoft.SecurityInsights
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | aggregations | No |
+> | alertrules | No |
+> | alertruletemplates | No |
+> | automationrules | No |
+> | cases | No |
+> | dataconnectors | No |
+> | entities | No |
+> | entityqueries | No |
+> | incidents | No |
+> | officeconsents | No |
+> | settings | No |
+> | threatintelligence | No |
+
+## Microsoft.SerialConsole
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | consoleservices | No |
## Microsoft.ServerManagement
@@ -1077,6 +1690,8 @@ Jump to a resource provider namespace:
> | Resource type | Region move | > | - | -- | > | namespaces | No |
+> | premiummessagingregions | No |
+> | sku | No |
## Microsoft.ServiceFabric
@@ -1084,11 +1699,11 @@ Jump to a resource provider namespace:
> | Resource type | Region move | > | - | -- | > | applications | No |
-> | clusters | No |
-> | clusters / applications | No |
+> | clusters | No |
> | containergroups | No | > | containergroupsets | No | > | edgeclusters | No |
+> | managedclusters | No |
> | networks | No | > | secretstores | No | > | volumes | No |
@@ -1105,6 +1720,13 @@ Jump to a resource provider namespace:
> | secrets | No | > | volumes | No |
+## Microsoft.Services
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | rollouts | No |
+ ## Microsoft.SignalRService > [!div class="mx-tableFixed"]
@@ -1112,6 +1734,13 @@ Jump to a resource provider namespace:
> | - | -- | > | signalr | No |
+## Microsoft.SoftwarePlan
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | hybridusebenefits | No |
+ ## Microsoft.Solutions > [!div class="mx-tableFixed"]
@@ -1119,8 +1748,6 @@ Jump to a resource provider namespace:
> | - | -- | > | appliancedefinitions | No | > | appliances | No |
-> | applicationdefinitions | No |
-> | applications | No |
> | jitrequests | No | ## Microsoft.Sql
@@ -1129,6 +1756,7 @@ Jump to a resource provider namespace:
> | Resource type | Region move | > | - | -- | > | instancepools | No |
+> | locations | No |
> | managedinstances | Yes <br/><br/> [Learn more](../../azure-sql/database/move-resources-across-regions.md) about moving managed instances across regions. | > | managedinstances / databases | Yes | > | servers | Yes |
@@ -1144,12 +1772,6 @@ Jump to a resource provider namespace:
> | sqlvirtualmachinegroups | No | > | sqlvirtualmachines | No |
-## Microsoft.SqlVM
-
-> [!div class="mx-tableFixed"]
-> | Resource type | Region move |
-> | - | -- |
-> | dwvm | No |
## Microsoft.Storage
@@ -1198,6 +1820,7 @@ Jump to a resource provider namespace:
> [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- |
+> | clusters | No |
> | streamingjobs | No |
@@ -1207,18 +1830,32 @@ Jump to a resource provider namespace:
> | Resource type | Region move | > | - | -- | > | environments | No |
-> | environments / eventsources | No |
> | instances | No |
-> | instances / environments | No |
-> | instances / environments / eventsources | No |
-## Microsoft.TerraformOSS
+## Microsoft.Subscription
> [!div class="mx-tableFixed"] > | Resource type | Region move |
-> | - | -- |
-> | providerregistrations | No |
-> | resources | No |
+> | - | -- |
+> | subscriptions | No |
+
+## microsoft.support
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | services | No |
+> | supporttickets | No |
+
+## Microsoft.Synapse
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | workspaces | No |
+> | workspaces / bigdatapools | No |
+> | workspaces / sqlpools | No |
+ ## Microsoft.TimeSeriesInsights
@@ -1252,7 +1889,17 @@ Jump to a resource provider namespace:
> | account / extension | No | > | account / project | No |
+## Microsoft.VMware
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | arczones | No |
+> | resourcepools | No |
+> | vcenters | No |
+> | virtualmachines | No |
+> | virtualmachinetemplates | No |
+> | virtualnetworks | No |
## Microsoft.VMwareCloudSimple
@@ -1263,21 +1910,58 @@ Jump to a resource provider namespace:
> | dedicatedcloudservices | No | > | virtualmachines | No |
+## Microsoft.VnfManager
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | devices | No |
+> | vnfs | No |
+
+## Microsoft.VSOnline
+
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | accounts | No |
+> | plans | No |
+> | registeredsubscriptions | No |
++ ## Microsoft.Web > [!div class="mx-tableFixed"] > | Resource type | Region move | > | - | -- |
+> | availablestacks | No |
+> | billingmeters | No |
> | certificates | No | > | connectiongateways | No | > | connections | No | > | customapis | No |
+> | deletedsites | No |
+> | deploymentlocations | No |
+> | georegions | No |
> | hostingenvironments | No |
-> | serverfarms | No |
+> | kubeenvironments | No |
+> | publishingusers | No |
+> | recommendations | No |
+> | resourcehealthmetadata | No |
+> | runtimes | No |
+> | serverfarms | No |
+> | serverfarms / eventgridfilters | N
> | sites | No | > | sites / premieraddons | No | > | sites / slots | No |
+> | sourcecontrols | No |
+> | staticsites | No |
+
+## Microsoft.WindowsESU
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | multipleactivationkeys | No |
## Microsoft.WindowsIoT
@@ -1286,15 +1970,28 @@ Jump to a resource provider namespace:
> | - | -- | > | deviceservices | No |
-## Microsoft.WindowsVirtualDesktop
+## Microsoft.WorkloadBuilder
> [!div class="mx-tableFixed"] > | Resource type | Region move |
-> | - | -- |
-> | applicationgroups | No |
-> | hostpools | No |
-> | workspaces | No |
+> | - | -- |
+> | workloads | No |
+
+## Microsoft.WorkloadMonitor
+> [!div class="mx-tableFixed"]
+> | Resource type | Region move |
+> | - | -- |
+> | components | No |
+> | componentssummary | No |
+> | monitorinstances | No |
+> | monitorinstancessummary | No |
+> | monitors | No |
## Third-party services
-Third-party services currently don't support the move operation.
\ No newline at end of file
+Third-party services currently don't support the move operation.
+
+## Next steps
+
+[Learn more](../../resource-mover/overview.md) about the Resource Mover service.
+
azure-resource-manager https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/resource-name-rules https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/resource-name-rules.md a/articles/azure-resource-manager/management/resource-name-rules.md
@@ -2,7 +2,7 @@
Title: Resource naming restrictions description: Shows the rules and restrictions for naming Azure resources. Previously updated : 12/29/2020 Last updated : 01/26/2021 # Naming rules and restrictions for Azure resources
@@ -630,7 +630,7 @@ In the following tables, the term alphanumeric refers to:
> | | | | | > | managedInstances | global | 1-63 | Lowercase letters, numbers, and hyphens.<br><br>Can't start or end with hyphen. <br><br> Can't have any special characters, such as `@`. | > | servers | global | 1-63 | Lowercase letters, numbers, and hyphens.<br><br>Can't start or end with hyphen. |
-> | servers / administrators | server | | Must be `ActiveDirectory`. <br><br> Can't have any special characters, such as `@`.|
+> | servers / administrators | server | | Must be `ActiveDirectory`. |
> | servers / databases | server | 1-128 | Can't use:<br>`<>*%&:\/?`<br><br>Can't end with period or space. | > | servers / databases / syncGroups | database | 1-150 | Alphanumerics, hyphens, and underscores. | > | servers / elasticPools | server | 1-128 | Can't use:<br>`<>*%&:\/?`<br><br>Can't end with period or space. |
azure-resource-manager https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/management/security-controls-policy.md a/articles/azure-resource-manager/management/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure Resource Manager description: Lists Azure Policy Regulatory Compliance controls available for Azure Resource Manager. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
azure-resource-manager https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deploy-cli.md a/articles/azure-resource-manager/templates/deploy-cli.md
@@ -2,7 +2,7 @@
Title: Deploy resources with Azure CLI and template description: Use Azure Resource Manager and Azure CLI to deploy resources to Azure. The resources are defined in a Resource Manager template. Previously updated : 01/15/2021 Last updated : 01/26/2021 # Deploy resources with ARM templates and Azure CLI
@@ -99,6 +99,18 @@ az deployment group create \
The preceding example requires a publicly accessible URI for the template, which works for most scenarios because your template shouldn't include sensitive data. If you need to specify sensitive data (like an admin password), pass that value as a secure parameter. However, if you want to manage access to the template, consider using [template specs](#deploy-template-spec).
+To deploy remote linked templates with relative path that are stored in a storage account, use `query-string` to specify the SAS token:
+
+```azurepowershell
+az deployment group create \
+ --name linkedTemplateWithRelativePath \
+ --resource-group myResourceGroup \
+ --template-uri "https://stage20210126.blob.core.windows.net/template-staging/mainTemplate.json" \
+ --query-string $sasToken
+```
+
+For more information, see [Use relative path for linked templates](./linked-templates.md#linked-template).
+ ## Deployment name When deploying an ARM template, you can give the deployment a name. This name can help you retrieve the deployment from the deployment history. If you don't provide a name for the deployment, the name of the template file is used. For example, if you deploy a template named `azuredeploy.json` and don't specify a deployment name, the deployment is named `azuredeploy`.
azure-resource-manager https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/deploy-powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/deploy-powershell.md a/articles/azure-resource-manager/templates/deploy-powershell.md
@@ -2,7 +2,7 @@
Title: Deploy resources with PowerShell and template description: Use Azure Resource Manager and Azure PowerShell to deploy resources to Azure. The resources are defined in a Resource Manager template. Previously updated : 01/15/2021 Last updated : 01/26/2021 # Deploy resources with ARM templates and Azure PowerShell
@@ -56,6 +56,34 @@ You can target your deployment to a resource group, subscription, management gro
For every scope, the user deploying the template must have the required permissions to create resources.
+## Deployment name
+
+When deploying an ARM template, you can give the deployment a name. This name can help you retrieve the deployment from the deployment history. If you don't provide a name for the deployment, the name of the template file is used. For example, if you deploy a template named `azuredeploy.json` and don't specify a deployment name, the deployment is named `azuredeploy`.
+
+Every time you run a deployment, an entry is added to the resource group's deployment history with the deployment name. If you run another deployment and give it the same name, the earlier entry is replaced with the current deployment. If you want to maintain unique entries in the deployment history, give each deployment a unique name.
+
+To create a unique name, you can assign a random number.
+
+```azurepowershell-interactive
+$suffix = Get-Random -Maximum 1000
+$deploymentName = "ExampleDeployment" + $suffix
+```
+
+Or, add a date value.
+
+```azurepowershell-interactive
+$today=Get-Date -Format "MM-dd-yyyy"
+$deploymentName="ExampleDeployment"+"$today"
+```
+
+If you run concurrent deployments to the same resource group with the same deployment name, only the last deployment is completed. Any deployments with the same name that haven't finished are replaced by the last deployment. For example, if you run a deployment named `newStorage` that deploys a storage account named `storage1`, and at the same time run another deployment named `newStorage` that deploys a storage account named `storage2`, you deploy only one storage account. The resulting storage account is named `storage2`.
+
+However, if you run a deployment named `newStorage` that deploys a storage account named `storage1`, and immediately after it completes you run another deployment named `newStorage` that deploys a storage account named `storage2`, then you have two storage accounts. One is named `storage1`, and the other is named `storage2`. But, you only have one entry in the deployment history.
+
+When you specify a unique name for each deployment, you can run them concurrently without conflict. If you run a deployment named `newStorage1` that deploys a storage account named `storage1`, and at the same time run another deployment named `newStorage2` that deploys a storage account named `storage2`, then you have two storage accounts and two entries in the deployment history.
+
+To avoid conflicts with concurrent deployments and to ensure unique entries in the deployment history, give each deployment a unique name.
+ ## Deploy local template You can deploy a template from your local machine or one that is stored externally. This section describes deploying a local template.
@@ -75,7 +103,7 @@ New-AzResourceGroupDeployment `
-TemplateFile c:\MyTemplates\azuredeploy.json ```
-The deployment can take a few minutes to complete.
+The deployment can take several minutes to complete.
## Deploy remote template
@@ -91,40 +119,24 @@ To deploy an external template, use the `-TemplateUri` parameter.
```azurepowershell New-AzResourceGroupDeployment `
- -Name ExampleDeployment `
+ -Name remoteTemplateDeployment `
-ResourceGroupName ExampleGroup ` -TemplateUri https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/101-storage-account-create/azuredeploy.json ``` The preceding example requires a publicly accessible URI for the template, which works for most scenarios because your template shouldn't include sensitive data. If you need to specify sensitive data (like an admin password), pass that value as a secure parameter. However, if you want to manage access to the template, consider using [template specs](#deploy-template-spec).
-## Deployment name
-
-When deploying an ARM template, you can give the deployment a name. This name can help you retrieve the deployment from the deployment history. If you don't provide a name for the deployment, the name of the template file is used. For example, if you deploy a template named `azuredeploy.json` and don't specify a deployment name, the deployment is named `azuredeploy`.
-
-Every time you run a deployment, an entry is added to the resource group's deployment history with the deployment name. If you run another deployment and give it the same name, the earlier entry is replaced with the current deployment. If you want to maintain unique entries in the deployment history, give each deployment a unique name.
-
-To create a unique name, you can assign a random number.
+To deploy remote linked templates with relative path that are stored in a storage account, use `QueryString` to specify the SAS token:
-```azurepowershell-interactive
-$suffix = Get-Random -Maximum 1000
-$deploymentName = "ExampleDeployment" + $suffix
-```
-
-Or, add a date value.
-
-```azurepowershell-interactive
-$today=Get-Date -Format "MM-dd-yyyy"
-$deploymentName="ExampleDeployment"+"$today"
+```azurepowershell
+New-AzResourceGroupDeployment `
+ -Name linkedTemplateWithRelativePath `
+ -ResourceGroupName "myResourceGroup" `
+ -TemplateUri "https://stage20210126.blob.core.windows.net/template-staging/mainTemplate.json" `
+ -QueryString $sasToken
```
-If you run concurrent deployments to the same resource group with the same deployment name, only the last deployment is completed. Any deployments with the same name that haven't finished are replaced by the last deployment. For example, if you run a deployment named `newStorage` that deploys a storage account named `storage1`, and at the same time run another deployment named `newStorage` that deploys a storage account named `storage2`, you deploy only one storage account. The resulting storage account is named `storage2`.
-
-However, if you run a deployment named `newStorage` that deploys a storage account named `storage1`, and immediately after it completes you run another deployment named `newStorage` that deploys a storage account named `storage2`, then you have two storage accounts. One is named `storage1`, and the other is named `storage2`. But, you only have one entry in the deployment history.
-
-When you specify a unique name for each deployment, you can run them concurrently without conflict. If you run a deployment named `newStorage1` that deploys a storage account named `storage1`, and at the same time run another deployment named `newStorage2` that deploys a storage account named `storage2`, then you have two storage accounts and two entries in the deployment history.
-
-To avoid conflicts with concurrent deployments and to ensure unique entries in the deployment history, give each deployment a unique name.
+For more information, see [Use relative path for linked templates](./linked-templates.md#linked-template).
## Deploy template spec
azure-resource-manager https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/linked-templates https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/linked-templates.md a/articles/azure-resource-manager/templates/linked-templates.md
@@ -2,7 +2,7 @@
Title: Link templates for deployment description: Describes how to use linked templates in an Azure Resource Manager template (ARM template) to create a modular template solution. Shows how to pass parameters values, specify a parameter file, and dynamically created URLs. Previously updated : 01/25/2021 Last updated : 01/26/2021 # Using linked and nested templates when deploying Azure resources
@@ -490,6 +490,91 @@ To pass parameter values inline, use the `parameters` property.
You can't use both inline parameters and a link to a parameter file. The deployment fails with an error when both `parametersLink` and `parameters` are specified.
+### Use relative path for linked templates
+
+The `relativePath` property of `Microsoft.Resources/deployments` makes it easier to author linked templates. This property can be used to deploy a remote linked template at a location relative to the parent. This feature requires all template files to be staged and available at a remote URI, such as GitHub or Azure storage account. When the main template is called by using a URI from Azure PowerShell or Azure CLI, the child deployment URI is a combination of the parent and relativePath.
+
+> [!NOTE]
+> When creating a templateSpec, any templates referenced by the `relativePath` property is packaged in the templateSpec resource by Azure PowerShell or Azure CLI. It do not require the files to be staged. For more information, see [Create a template spec with linked templates](./template-specs.md#create-a-template-spec-with-linked-templates).
+
+Assume a folder structure like this:
+
+![resource manager linked template relative path](./media/linked-templates/resource-manager-linked-templates-relative-path.png)
+
+The following template shows how *mainTemplate.json* deploys *nestedChild.json* illustrated in the preceding image.
+
+```json
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {},
+ "functions": [],
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.Resources/deployments",
+ "apiVersion": "2020-10-01",
+ "name": "childLinked",
+ "properties": {
+ "mode": "Incremental",
+ "templateLink": {
+ "relativePath": "children/nestedChild.json"
+ }
+ }
+ }
+ ],
+ "outputs": {}
+}
+```
+
+In the following deployment, the URI of the linked template in the preceding template is **https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/linked-template-relpath/children/nestedChild.json**.
+
+# [PowerShell](#tab/azure-powershell)
+
+```azurepowershell
+New-AzResourceGroupDeployment `
+ -Name linkedTemplateWithRelativePath `
+ -ResourceGroupName "myResourceGroup" `
+ -TemplateUri "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/linked-template-relpath/mainTemplate.json"
+```
+
+# [Azure CLI](#tab/azure-cli)
+
+```azurecli
+az deployment group create \
+ --name linkedTemplateWithRelativePath \
+ --resource-group myResourceGroup \
+ --template-uri "https://raw.githubusercontent.com/Azure/azure-docs-json-samples/master/linked-template-relpath/mainTemplate.json"
+```
+++
+To deploy linked templates with relative path stored in an Azure storage account, use the `QueryString`/`query-string` parameter to specify the SAS token to be used with the TemplateUri parameter. This parameter is only supported by Azure CLI version 2.18 or later and Azure PowerShell version 5.4 or later.
+
+# [PowerShell](#tab/azure-powershell)
+
+```azurepowershell
+New-AzResourceGroupDeployment `
+ -Name linkedTemplateWithRelativePath `
+ -ResourceGroupName "myResourceGroup" `
+ -TemplateUri "https://stage20210126.blob.core.windows.net/template-staging/mainTemplate.json" `
+ -QueryString $sasToken
+```
+
+# [Azure CLI](#tab/azure-cli)
+
+```azurecli
+az deployment group create \
+ --name linkedTemplateWithRelativePath \
+ --resource-group myResourceGroup \
+ --template-uri "https://stage20210126.blob.core.windows.net/template-staging/mainTemplate.json" \
+ --query-string $sasToken
+```
+++
+Make sure there is no leading "?" in QueryString. The deployment adds one when assembling the URI for the deployments.
+ ## Template specs Instead of maintaining your linked templates at an accessible endpoint, you can create a [template spec](template-specs.md) that packages the main template and its linked templates into a single entity you can deploy. The template spec is a resource in your Azure subscription. It makes it easy to securely share the template with users in your organization. You use Azure role-based access control (Azure RBAC) to grant access to the template spec. This feature is currently in preview.
azure-resource-manager https://docs.microsoft.com/en-us/azure/azure-resource-manager/templates/template-variables https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-resource-manager/templates/template-variables.md a/articles/azure-resource-manager/templates/template-variables.md
@@ -2,7 +2,7 @@
Title: Variables in templates description: Describes how to define variables in an Azure Resource Manager template (ARM template). Previously updated : 11/24/2020 Last updated : 01/26/2021 # Variables in ARM template
@@ -11,10 +11,12 @@ This article describes how to define and use variables in your Azure Resource Ma
Resource Manager resolves variables before starting the deployment operations. Wherever the variable is used in the template, Resource Manager replaces it with the resolved value.
-The format of each variable must match one of the [data types](template-syntax.md#data-types).
- ## Define variable
+When defining a variable, provide a value or template expression that resolves to a [data type](template-syntax.md#data-types). You can use the value from a parameter or another variable when constructing the variable.
+
+You can use [template functions](template-functions.md) in the variable declaration, but you can't use the [reference](template-functions-resource.md#reference) function or any of the [list](template-functions-resource.md#list) functions. These functions get the runtime state of a resource, and can't be executed before deployment when variables are resolved.
+ The following example shows a variable definition. It creates a string value for a storage account name. It uses several template functions to get a parameter value, and concatenates it to a unique string. ```json
@@ -23,8 +25,6 @@ The following example shows a variable definition. It creates a string value for
}, ```
-You can't use the [reference](template-functions-resource.md#reference) function or any of the [list](template-functions-resource.md#list) functions in the `variables` section. These functions get the runtime state of a resource, and can't be executed before deployment when variables are resolved.
- ## Use variable In the template, you reference the value for the parameter by using the [variables](template-functions-deployment.md#variables) function. The following example shows how to use the variable for a resource property.
@@ -39,56 +39,20 @@ In the template, you reference the value for the parameter by using the [variabl
] ```
-## Configuration variables
-
-You can define variables that hold related values for configuring an environment. You define the variable as an object with the values. The following example shows an object that holds values for two environments - **test** and **prod**.
+## Example template
-```json
-"variables": {
- "environmentSettings": {
- "test": {
- "instanceSize": "Small",
- "instanceCount": 1
- },
- "prod": {
- "instanceSize": "Large",
- "instanceCount": 4
- }
- }
-},
-```
+The following template doesn't deploy any resources. It just shows some ways of declaring variables.
-In `parameters`, you create a value that indicates which configuration values to use.
+:::code language="json" source="~/resourcemanager-templates/azure-resource-manager/variables.json":::
-```json
-"parameters": {
- "environmentName": {
- "type": "string",
- "allowedValues": [
- "test",
- "prod"
- ]
- }
-},
-```
-
-To retrieve settings for the specified environment, use the variable and parameter together.
-
-```json
-"[variables('environmentSettings')[parameters('environmentName')].instanceSize]"
-```
-
-## Example templates
+## Configuration variables
-The following examples demonstrate scenarios for using variables.
+You can define variables that hold related values for configuring an environment. You define the variable as an object with the values. The following example shows an object that holds values for two environments - **test** and **prod**. You pass in one of these values during deployment.
-|Template |Description |
-|||
-| [variable definitions](https://github.com/Azure/azure-docs-json-samples/blob/master/azure-resource-manager/variables.json) | Demonstrates the different types of variables. The template doesn't deploy any resources. It constructs variable values and returns those values. |
-| [configuration variable](https://github.com/Azure/azure-docs-json-samples/blob/master/azure-resource-manager/variablesconfigurations.json) | Demonstrates the use of a variable that defines configuration values. The template doesn't deploy any resources. It constructs variable values and returns those values. |
-| [network security rules](https://github.com/Azure/azure-docs-json-samples/blob/master/azure-resource-manager/multipleinstance/multiplesecurityrules.json) and [parameter file](https://github.com/Azure/azure-docs-json-samples/blob/master/azure-resource-manager/multipleinstance/multiplesecurityrules.parameters.json) | Constructs an array in the correct format for assigning security rules to a network security group. |
+:::code language="json" source="~/resourcemanager-templates/azure-resource-manager/variablesconfigurations.json":::
## Next steps * To learn about the available properties for variables, see [Understand the structure and syntax of ARM templates](template-syntax.md). * For recommendations about creating variables, see [Best practices - variables](template-best-practices.md#variables).
+* For an example template that assigns security rules to a network security group, see [network security rules](https://github.com/Azure/azure-docs-json-samples/blob/master/azure-resource-manager/multipleinstance/multiplesecurityrules.json) and [parameter file](https://github.com/Azure/azure-docs-json-samples/blob/master/azure-resource-manager/multipleinstance/multiplesecurityrules.parameters.json).
azure-signalr https://docs.microsoft.com/en-us/azure/azure-signalr/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-signalr/policy-reference.md a/articles/azure-signalr/policy-reference.md
@@ -1,7 +1,7 @@
Title: Built-in policy definitions for Azure SignalR description: Lists Azure Policy built-in policy definitions for Azure SignalR. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/database/connectivity-architecture https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/connectivity-architecture.md a/articles/azure-sql/database/connectivity-architecture.md
@@ -11,7 +11,7 @@
Previously updated : 06/26/2020 Last updated : 01/25/2021 # Azure SQL Database and Azure Synapse Analytics connectivity architecture [!INCLUDE[appliesto-sqldb-asa](../includes/appliesto-sqldb-asa.md)]
@@ -60,7 +60,7 @@ If you are connecting from outside Azure, your connections have a connection pol
![Diagram that shows how the TCP session is established via the Azure SQL Database gateway and all subsequent packets flow via the gateway.](./media/connectivity-architecture/connectivity-onprem.png) > [!IMPORTANT]
-> Additionally open TCP ports 1434 and 14000-14999 to enable [Connecting with DAC](/sql/database-engine/configure-windows/diagnostic-connection-for-database-administrators?view=sql-server-2017#connecting-with-dac)
+> Additionally open TCP ports 1434 and 14000-14999 to enable [Connecting with DAC](/sql/database-engine/configure-windows/diagnostic-connection-for-database-administrators#connecting-with-dac)
## Gateway IP addresses
@@ -77,7 +77,7 @@ Details of how traffic shall be migrated to new Gateways in specific regions are
| Brazil South | 104.41.11.5, 191.233.200.14, 191.234.144.16, 191.234.152.3 | | Canada Central | 40.85.224.249, 52.246.152.0, 20.38.144.1 | | Canada East | 40.86.226.166, 52.242.30.154, 40.69.105.9 , 40.69.105.10 |
-| Central US | 13.67.215.62, 52.182.137.15, 23.99.160.139, 104.208.16.96, 104.208.21.1 |
+| Central US | 13.67.215.62, 52.182.137.15, 23.99.160.139, 104.208.16.96, 104.208.21.1, 13.89.169.20 |
| China East | 139.219.130.35 | | China East 2 | 40.73.82.1 | | China North | 139.219.15.17 |
@@ -121,4 +121,4 @@ Details of how traffic shall be migrated to new Gateways in specific regions are
- For information on how to change the Azure SQL Database connection policy for a server, see [conn-policy](/cli/azure/sql/server/conn-policy). - For information about Azure SQL Database connection behavior for clients that use ADO.NET 4.5 or a later version, see [Ports beyond 1433 for ADO.NET 4.5](adonet-v12-develop-direct-route-ports.md).-- For general application development overview information, see [SQL Database Application Development Overview](develop-overview.md).\ No newline at end of file
+- For general application development overview information, see [SQL Database Application Development Overview](develop-overview.md).
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/database/elastic-scale-get-started https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/elastic-scale-get-started.md a/articles/azure-sql/database/elastic-scale-get-started.md
@@ -79,13 +79,15 @@ To download and run the sample, follow these steps:
1. Download the [Elastic DB Tools for Azure SQL - Getting Started sample](https://github.com/Azure/elastic-db-tools). Unzip the sample to a location that you choose.
-2. To create a project, open the *ElasticScaleStarterKit.sln* solution from the *C#* directory.
+2. To create a project, open the *ElasticDatabaseTools.sln* solution from the *elastic-db-tools-master* directory.
-3. In the solution for the sample project, open the *app.config* file. Then follow the instructions in the file to add your server name and your sign-in information (username and password).
+3. Set the *ElasticScaleStarterKit* project as the Startup Project.
-4. Build and run the application. When you are prompted, enable Visual Studio to restore the NuGet packages of the solution. This action downloads the latest version of the elastic database client library from NuGet.
+4. In the *ElasticScaleStarterKit* project, open the *App.config* file. Then follow the instructions in the file to add your server name and your sign-in information (username and password).
-5. To learn more about the client library capabilities, experiment with the various options. Note the steps that the application takes in the console output, and feel free to explore the code behind the scenes.
+5. Build and run the application. When you are prompted, enable Visual Studio to restore the NuGet packages of the solution. This action downloads the latest version of the elastic database client library from NuGet.
+
+6. To learn more about the client library capabilities, experiment with the various options. Note the steps that the application takes in the console output, and feel free to explore the code behind the scenes.
![Progress][4]
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/database/gateway-migration https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/gateway-migration.md a/articles/azure-sql/database/gateway-migration.md
@@ -21,6 +21,13 @@ Customers will be notified via email and in the Azure portal well in advance of
## Status updates # [In progress](#tab/in-progress-ip)
+## February 2021
+New SQL Gateways are being added to the following regions:
+
+- Central US : 13.89.169.20
+
+These SQL Gateways shall start accepting customer traffic on 28 February 2021.
+ ## January 2021 New SQL Gateways are being added to the following regions:
@@ -35,7 +42,7 @@ New SQL Gateways are being added to the following regions:
- Korea Central : 52.231.17.22 ,52.231.17.23 - India West : 104.211.144.4
-These SQL Gateways shall start accepting customer traffic on 31 January 2021
+These SQL Gateways shall start accepting customer traffic on 31 January 2021.
# [Completed](#tab/completed-ip) The following gateway migrations are complete:
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/database/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/policy-reference.md a/articles/azure-sql/database/policy-reference.md
@@ -1,7 +1,7 @@
Title: Built-in policy definitions for Azure SQL Database description: Lists Azure Policy built-in policy definitions for Azure SQL Database and SQL Managed Instance. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/database/recovery-using-backups https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/recovery-using-backups.md a/articles/azure-sql/database/recovery-using-backups.md
@@ -47,8 +47,8 @@ For a single subscription, there are limitations on the number of concurrent res
| **Deployment option** | **Max # of concurrent requests being processed** | **Max # of concurrent requests being submitted** | | : | --: | --: |
-|**Single database (per subscription)**|10|60|
-|**Elastic pool (per pool)**|4|200|
+|**Single database (per subscription)**|30|100|
+|**Elastic pool (per pool)**|4|2000|
There isn't a built-in method to restore the entire server. For an example of how to accomplish this task, see [Azure SQL Database: Full server recovery](https://gallery.technet.microsoft.com/Azure-SQL-Database-Full-82941666).
@@ -256,4 +256,4 @@ Automatic backups protect your databases from user and application errors, accid
- [Business continuity overview](business-continuity-high-availability-disaster-recover-hadr-overview.md) - [SQL Database automated backups](automated-backups-overview.md) - [Long-term retention](long-term-retention-overview.md)-- To learn about faster recovery options, see [Active geo-replication](active-geo-replication-overview.md) or [Auto-failover groups](auto-failover-group-overview.md).\ No newline at end of file
+- To learn about faster recovery options, see [Active geo-replication](active-geo-replication-overview.md) or [Auto-failover groups](auto-failover-group-overview.md).
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/database/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/security-controls-policy.md a/articles/azure-sql/database/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure SQL Database description: Lists Azure Policy Regulatory Compliance controls available for Azure SQL Database and SQL Managed Instance. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/database/sql-data-sync-sql-server-configure https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/database/sql-data-sync-sql-server-configure.md a/articles/azure-sql/database/sql-data-sync-sql-server-configure.md
@@ -173,10 +173,6 @@ After the new sync group members are created and deployed, **Configure sync grou
## FAQ
-**How frequently can Data Sync synchronize my data?**
-
-The minimal duration between synchronizations is five minutes.
- **Does SQL Data Sync fully create tables?** If sync schema tables are missing in the destination database, SQL Data Sync creates them with the columns you selected. However, this doesn't result in a full-fidelity schema for the following reasons:
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/managed-instance/user-initiated-failover https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/managed-instance/user-initiated-failover.md a/articles/azure-sql/managed-instance/user-initiated-failover.md
@@ -9,7 +9,7 @@
Previously updated : 01/25/2021 Last updated : 01/26/2021 # User-initiated manual failover on SQL Managed Instance
@@ -120,7 +120,7 @@ Operation status can be tracked through reviewing API responses in response head
## Monitor the failover
-To monitor the progress of user initiated manual failover, execute the following T-SQL query in your favorite client (such is SSMS) on SQL Managed Instance. It will read the system view sys.dm_hadr_fabric_replica_states and report replicas available on the instance. Refresh the same query after initiating the manual failover.
+To monitor the progress of user initiated failover for your BC instance, execute the following T-SQL query in your favorite client (such is SSMS) on SQL Managed Instance. It will read the system view sys.dm_hadr_fabric_replica_states and report replicas available on the instance. Refresh the same query after initiating the manual failover.
```T-SQL SELECT DISTINCT replication_endpoint_url, fabric_replica_role_desc FROM sys.dm_hadr_fabric_replica_states
@@ -128,7 +128,14 @@ SELECT DISTINCT replication_endpoint_url, fabric_replica_role_desc FROM sys.dm_h
Before initiating the failover, your output will indicate the current primary replica on BC service tier containing one primary and three secondaries in the AlwaysOn Availability Group. Upon execution of a failover, running this query again would need to indicate a change of the primary node.
-You will not be able to see the same output with GP service tier as the one above shown for BC. This is because GP service tier is based on a single node only. T-SQL query output for GP service tier will show a single node only before and after the failover. The loss of connectivity from your client during the failover, typically lasting under a minute, will be the indication of the failover execution.
+You will not be able to see the same output with GP service tier as the one above shown for BC. This is because GP service tier is based on a single node only.
+You can use alternative T-SQL query showing the time SQL process started on the node for GP service tier instance:
+
+```T-SQL
+SELECT sqlserver_start_time, sqlserver_start_time_ms_ticks FROM sys.dm_os_sys_info
+```
+
+The short loss of connectivity from your client during the failover, typically lasting under a minute, will be the indication of the failover execution regardless of the service tier.
> [!NOTE] > Completion of the failover process (not the actual short unavailability) might take several minutes at a time in case of **high-intensity** workloads. This is because the instance engine is taking care of all current transactions on the primary and catch up on the secondary node, prior to being able to failover.
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/migration-guides/virtual-machines/db2-to-sql-on-azure-vm-guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/virtual-machines/db2-to-sql-on-azure-vm-guide.md a/articles/azure-sql/migration-guides/virtual-machines/db2-to-sql-on-azure-vm-guide.md
@@ -3,7 +3,7 @@ Title: "DB2 to SQL Server on Azure VMs (Migration guide)"
description: Follow this guide to migrate your DB2 server to SQL Server on Azure VMs. -+ ms.devlang:
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/migration-guides/virtual-machines/sql-server-to-sql-on-azure-vm-individual-databases-guide https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/virtual-machines/sql-server-to-sql-on-azure-vm-individual-databases-guide.md a/articles/azure-sql/migration-guides/virtual-machines/sql-server-to-sql-on-azure-vm-individual-databases-guide.md
@@ -3,7 +3,7 @@ Title: SQL Server to SQL Server on Azure VMs (Migration guide)
description: Follow this guide to migrate your individual SQL Server databases to SQL Server on Azure Virtual Machines (VMs). -+ ms.devlang:
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/migration-guides/virtual-machines/sql-server-to-sql-on-azure-vm-migration-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/migration-guides/virtual-machines/sql-server-to-sql-on-azure-vm-migration-overview.md a/articles/azure-sql/migration-guides/virtual-machines/sql-server-to-sql-on-azure-vm-migration-overview.md
@@ -3,7 +3,7 @@ Title: SQL Server to SQL Server on Azure VM (Migration overview)
description: Learn about the different migration strategies when you want to migrate your SQL Server to SQL Server on Azure VMs. -+ ms.devlang:
@@ -33,7 +33,7 @@ Migrate to [SQL Server on Azure Virtual Machines (VMs)](../../virtual-machines/w
Save on costs by bringing your own license with the [Azure Hybrid Benefit licensing model](../../virtual-machines/windows/licensing-model-azure-hybrid-benefit-ahb-change.md) or extend support for SQL Server 2008 and SQL Server 2008 R2 by getting [free security updates](../../virtual-machines/windows/sql-server-2008-extend-end-of-support.md).
-## Choosing appropriate target
+## Choose appropriate target
Azure Virtual Machines run in many different regions of Azure and also offer a variety of [machine sizes](../../../virtual-machines/sizes.md) and [Storage options](../../../virtual-machines/disks-types.md). When determining the correct size of VM and Storage for your SQL Server workload, refer to the [Performance Guidelines for SQL Server on Azure Virtual Machines.](../../virtual-machines/windows/performance-guidelines-best-practices.md#vm-size-guidance). To determine the VM size and storage requirements for your workload. it is recommended that these are sized through a Performance-Based [Azure Migrate Assessment](../../../migrate/concepts-assessment-calculation.md#types-of-assessments). If this is not an available option, see the following article on creating your own [baseline for performance](https://azure.microsoft.com/services/virtual-machines/sql-server/).
azure-sql https://docs.microsoft.com/en-us/azure/azure-sql/virtual-machines/windows/licensing-model-azure-hybrid-benefit-ahb-change https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-sql/virtual-machines/windows/licensing-model-azure-hybrid-benefit-ahb-change.md a/articles/azure-sql/virtual-machines/windows/licensing-model-azure-hybrid-benefit-ahb-change.md
@@ -32,7 +32,7 @@ There are three license models for an Azure VM that's hosting SQL Server: pay-as
Azure Hybrid Benefit allows the use of SQL Server licenses with Software Assurance ("Qualified License") on Azure virtual machines. With Azure Hybrid Benefit, customers aren't charged for the use of a SQL Server license on a VM. But they must still pay for the cost of the underlying cloud compute (that is, the base rate), storage, and backups. They must also pay for I/O associated with their use of the services (as applicable).
-According to the Microsoft Product Terms: "Customers must indicate that they are using Azure SQL Database (Managed Instance, Elastic Pool, and Single Database), Azure Data Factory, SQL Server Integration Services, or SQL Server Virtual Machines under Azure Hybrid Benefit for SQL Server when configuring workloads on Azure."
+According to the Microsoft [Product Terms](https://www.microsoft.com/licensing/terms/productoffering/MicrosoftAzureServices/EAEAS): "Customers must indicate that they are using Azure SQL Database (Managed Instance, Elastic Pool, and Single Database), Azure Data Factory, SQL Server Integration Services, or SQL Server Virtual Machines under Azure Hybrid Benefit for SQL Server when configuring workloads on Azure."
To indicate the use of Azure Hybrid Benefit for SQL Server on Azure VM and be compliant, you have three options:
azure-vmware https://docs.microsoft.com/en-us/azure/azure-vmware/netapp-files-with-azure-vmware-solution https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/netapp-files-with-azure-vmware-solution.md new file mode 100644 /dev/null
@@ -0,0 +1,103 @@
+
+ Title: Azure NetApp Files with Azure VMware Solution
+description: Use Azure NetApp Files with Azure VMware Solution VMs to migrate and sync data across on-premises servers, Azure VMware Solution VMs, and cloud infrastructures.
+ Last updated : 01/20/2021++
+# Azure NetApp Files with Azure VMware Solution
+
+In this article, we'll walk through the steps of integrating Azure NetApp Files with Azure VMware Solution-based workloads. The guest operating system will run inside virtual machines (VMs) accessing Azure NetApp Files volumes.
+
+## Azure NetApp Files overview
+
+[Azure NetApp Files](../azure-netapp-files/azure-netapp-files-introduction.md) is an Azure first-party service for migration and running the most demanding enterprise file-workloads in the cloud, including databases, SAP, and high-performance computing applications, with no code changes.
+
+### Features
+(Services where Azure NetApp Files are used.)
+
+- **Active Directory connections**: Azure NetApp Files supports [Active Directory Domain Services and Azure Active Directory Domain Services](../azure-netapp-files/azure-netapp-files-create-volumes-smb.md#decide-which-domain-services-to-use).
+
+- **Share Protocol**: Azure NetApp Files supports Server Message Block (SMB) and Network File System (NFS) protocols. This support means the volumes can be mounted on the Linux client and can be mapped on Windows client.
+
+- **Azure VMware Solution**: Azure NetApp Files shares can be mounted from VMs that are created in the Azure VMware Solution environment.
+
+Azure NetApp Files is available in many Azure regions and supports cross-region replication. For information on Azure NetApp Files configuration methods, see [Storage hierarchy of Azure NetApp Files](../azure-netapp-files/azure-netapp-files-understand-storage-hierarchy.md).
+
+## Reference architecture
+
+The following diagram illustrates a connection via Azure ExpressRoute to an Azure VMware Solution private cloud. It shows the usage of an Azure NetApp Files share, mounted on Azure VMware Solution VMs, being accessed by the Azure VMware Solution environment.
+
+![Diagram showing NetApp Files for Azure VMware Solution architecture.](media/net-app-files/net-app-files-topology.png)
+
+This article covers instructions to set up, test, and verify the Azure NetApp Files volume as a file share for Azure VMware Solution VMs. In this scenario, we have used the NFS protocol. Azure NetApp Files and Azure VMware Solution are created in the same Azure region.
+
+## Prerequisites
+
+> [!div class="checklist"]
+> * Azure subscription with Azure NetApp Files enabled
+> * Subnet for Azure NetApp Files
+> * Linux VM on Azure VMware Solution
+> * Windows VMs on Azure VMware Solution
+
+## Regions supported
+
+List of supported regions can be found at [Azure Products by Region](https://azure.microsoft.com/global-infrastructure/services/?products=netapp,azure-vmware&regions=all).
+
+## Verify pre-configured Azure NetApp Files
+
+Follow the step-by-step instructions in the following articles to create and Mount Azure NetApp Files volumes onto Azure VMware Solution VMs.
+
+- [Create a NetApp account](../azure-netapp-files/azure-netapp-files-create-netapp-account.md)
+- [Set up a capacity pool](../azure-netapp-files/azure-netapp-files-set-up-capacity-pool.md)
+- [Create an SMB volume for Azure NetApp Files](../azure-netapp-files/azure-netapp-files-create-volumes-smb.md)
+- [Create an NFS volume for Azure NetApp Files](../azure-netapp-files/azure-netapp-files-create-volumes.md)
+- [Delegate a subnet to Azure NetApp Files](../azure-netapp-files/azure-netapp-files-delegate-subnet.md)
+
+The following steps include verification of the pre-configured Azure NetApp Files created in Azure on Azure NetApp Files Premium service level.
+
+1. In the Azure portal, under **STORAGE**, select **Azure NetApp Files**. A list of your configured Azure NetApp Files will show.
+
+ :::image type="content" source="media/net-app-files/azure-net-app-files-list.png" alt-text="Screenshot showing list of pre-configured Azure NetApp Files.":::
+
+2. Select a configured NetApp Files account to view its settings. For example, select **Contoso-anf2**.
+
+3. Select **Capacity pools** to verify the configured pool.
+
+ :::image type="content" source="media/net-app-files/net-app-settings.png" alt-text="Screenshot showing options to view capacity pools and volumes of a configured NetApp Files account.":::
+
+ The Capacity pools page opens showing the capacity and service level. In this example, the storage pool is configured as 4 TiB with a Premium service level.
+
+4. Select **Volumes** to view volumes created under the capacity pool. (See preceding screenshot.)
+
+5. Select a volume to view its configuration.
+
+ :::image type="content" source="media/net-app-files/azure-net-app-volumes.png" alt-text="Screenshot showing volumes created under the capacity pool.":::
+
+ A window opens showing the configuration details of the volume.
+
+ :::image type="content" source="media/net-app-files/configuration-of-volume.png" alt-text="Screenshot showing configuration details of a volume.":::
+
+ You can see that the volume anfvolume, with a size of 200 GiB, was created in capacity pool anfpool1 and exported as an NFS file share via 10.22.3.4:/ANFVOLUME. One private IP from the Azure Virtual Network (VNet) was created for Azure NetApp Files and the NFS path to mount on the VM. For information on Azure NetApp Files volume performance relative to size ("Quota"), see [Performance considerations for Azure NetApp Files](../azure-netapp-files/azure-netapp-files-performance-considerations.md).
+
+## Verify pre-configured Azure VMware Solution VM share mapping
+
+Before showcasing the accessibility of Azure NetApp Files share to an Azure VMware Solution VM, it's important to understand SMB and NFS share mapping. Only after configuring the SMB or NFS volumes, can they be mounted as documented here.
+
+- SMB share: Create an Active Directory connection before deploying an SMB volume. The specified domain controllers must be accessible by the delegated subnet of Azure NetApp Files for a successful connection. Once the Active Directory is configured within the Azure NetApp Files account, it will appear as a selectable item while creating SMB volumes.
+
+- NFS share: Azure NetApp Files contributes to creating the volumes using NFS or dual protocol (NFS and SMB). A volume's capacity consumption counts against its pool's provisioned capacity. NFS can be mounted to the Linux server by using the command lines or /etc/fstab entries.
+
+## Use Cases of Azure NetApp Files with Azure VMware Solution
+
+The following are just a few compelling Azure NetApp Files use cases.
+- Horizon profile management
+- Citrix profile management
+- Remote Desktop Services profile management
+- File shares on Azure VMware Solution
+
+## Next steps
+- Learn about [resource limits for Azure NetApp Files](../azure-netapp-files/azure-netapp-files-resource-limits.md#resource-limits).
+- See [Guidelines for Azure NetApp Files network planning](../azure-netapp-files/azure-netapp-files-network-topologies.md).
+- Learn about [Cross-region replication of Azure NetApp Files volumes](../azure-netapp-files/cross-region-replication-introduction.md).
+- See [FAQs about Azure NetApp Files](../azure-netapp-files/azure-netapp-files-faqs.md).
azure-vmware https://docs.microsoft.com/en-us/azure/azure-vmware/vrealize-operations-for-azure-vmware-solution https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/azure-vmware/vrealize-operations-for-azure-vmware-solution.md a/articles/azure-vmware/vrealize-operations-for-azure-vmware-solution.md
@@ -2,7 +2,7 @@
Title: Set up vRealize Operations for Azure VMware Solution description: Learn how to set up vRealize Operations for your Azure VMware Solution private cloud. Previously updated : 09/22/2020 Last updated : 01/26/2021 # Set up vRealize Operations for Azure VMware Solution
@@ -22,8 +22,8 @@ Thoroughly review [Before you begin](#before-you-begin) and [Prerequisites](#pre
* Optionally, review the [vRealize Operations Remote Controller](https://docs.vmware.com/en/vRealize-Operations-Manager/8.1/com.vmware.vcom.vapp.doc/GUID-263F9219-E801-4383-8A59-E84F3D01ED6B.html) product documentation for the on-premises vRealize Operations managing Azure VMware Solution deployment option. - ## Prerequisites
+* [vRealize Operations Manager](https://docs.vmware.com/en/vRealize-Operations-Manager/8.1/com.vmware.vcom.vapp.doc/GUID-7FFC61A0-7562-465C-A0DC-46D092533984.html) installed.
* A VPN or an Azure ExpressRoute configured between on-premises and Azure VMware Solution SDDC. * An Azure VMware Solution private cloud has been deployed in Azure.
@@ -45,12 +45,13 @@ To extend the vRealize Operations capabilities to the Azure VMware Solution priv
Another option is to deploy an instance of vRealize Operations Manager on a vSphere cluster in the private cloud.
+>[!IMPORTANT]
+>This option isn't currently supported by VMware.
+ :::image type="content" source="media/vrealize-operations-manager/vrealize-operations-deployment-option-2.png" alt-text="vRealize Operations running on Azure VMware Solution" border="false"::: Once the instance has been deployed, you can configure vRealize Operations to collect data from vCenter, ESXi, NSX-T, vSAN, and HCX.
-> [!TIP]
-> Refer to the [VMware documentation](https://docs.vmware.com/en/vRealize-Operations-Manager/8.1/com.vmware.vcom.vapp.doc/GUID-7FFC61A0-7562-465C-A0DC-46D092533984.html) for step-by-step guide for installing vRealize Operations Manager.
## Known limitations
backup https://docs.microsoft.com/en-us/azure/backup/about-azure-vm-restore https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/about-azure-vm-restore.md a/articles/backup/about-azure-vm-restore.md
@@ -45,6 +45,6 @@ This article describes how the [Azure Backup service](./backup-overview.md) rest
## Next steps -- [Frequently asked questions about VM restore](./backup-azure-vm-backup-faq.md#restore)
+- [Frequently asked questions about VM restore](https://docs.microsoft.com/azure/backup/backup-azure-vm-backup-faq#restore)
- [Supported restore methods](./backup-support-matrix-iaas.md#supported-restore-methods) - [Troubleshoot restore issues](./backup-azure-vms-troubleshoot.md#restore)\ No newline at end of file
backup https://docs.microsoft.com/en-us/azure/backup/backup-azure-alternate-dpm-server https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-alternate-dpm-server.md a/articles/backup/backup-azure-alternate-dpm-server.md
@@ -83,5 +83,5 @@ To recover data from an Azure Backup Server:
Read the other FAQs:
-* [Common questions](backup-azure-vm-backup-faq.md) about Azure VM backups
+* [Common questions](backup-azure-vm-backup-faq.yml) about Azure VM backups
* [Common questions](backup-azure-file-folder-backup-faq.md) about the Azure Backup agent
backup https://docs.microsoft.com/en-us/azure/backup/backup-azure-backup-faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-backup-faq.md a/articles/backup/backup-azure-backup-faq.md
@@ -65,7 +65,7 @@ In the case of a [GRS](azure-backup-glossary.md#grs) vault without [CRR](azure-b
### Where can I find common questions about the Azure Backup agent for Azure VM backup? -- For the agent running on Azure VMs, read this [FAQ](backup-azure-vm-backup-faq.md).
+- For the agent running on Azure VMs, read this [FAQ](backup-azure-vm-backup-faq.yml).
- For the agent used to back up Azure file folders, read this [FAQ](backup-azure-file-folder-backup-faq.md). ## General backup
@@ -231,5 +231,5 @@ The key used to encrypt the backup data is present only on your site. Microsoft
Read the other FAQs: -- [Common questions](backup-azure-vm-backup-faq.md) about Azure VM backups.
+- [Common questions](backup-azure-vm-backup-faq.yml) about Azure VM backups.
- [Common questions](backup-azure-file-folder-backup-faq.md) about the Azure Backup agent
backup https://docs.microsoft.com/en-us/azure/backup/backup-azure-monitor-alert-faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-monitor-alert-faq.md a/articles/backup/backup-azure-monitor-alert-faq.md
@@ -65,5 +65,5 @@ Yes. In the following situations, notifications aren't sent:
Read the other FAQs:
-* [Common questions](backup-azure-vm-backup-faq.md) about Azure VM backups.
+* [Common questions](backup-azure-vm-backup-faq.yml) about Azure VM backups.
* [Common questions](backup-azure-file-folder-backup-faq.md) about the Azure Backup agent
backup https://docs.microsoft.com/en-us/azure/backup/backup-azure-vm-backup-faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-vm-backup-faq.md deleted file mode 100644 a/articles/backup/backup-azure-vm-backup-faq.md
@@ -1,222 +0,0 @@
- Title: FAQ - Backing up Azure VMs
-description: In this article, discover answers to common questions about backing up Azure VMs with the Azure Backup service.
- Previously updated : 09/17/2019-
-# Frequently asked questions-Back up Azure VMs
-
-This article answers common questions about backing up Azure VMs with the [Azure Backup](./backup-overview.md) service.
-
-## Backup
-
-### Which VM images can be enabled for backup when I create them?
-
-When you create a VM, you can enable backup for VMs running [supported operating systems](backup-support-matrix-iaas.md#supported-backup-actions).
-
-### Why Initial backup is taking lot of time to complete?
-
-Initial backup is always a full backup and it will depend on the size of the data and when the backup is processed. <br>
-To improve backup performance see, [backup best practices](./backup-azure-vms-introduction.md#best-practices); [Backup considerations](./backup-azure-vms-introduction.md#backup-and-restore-considerations) and [Backup Performance](./backup-azure-vms-introduction.md#backup-performance)<br>
-Although the total backup time for incremental backups is less than 24 hours, that might not be the case for the first backup.
-
-### Is the backup cost included in the VM cost?
-
-No. Backup costs are separate from a VM's costs. Learn more about [Azure Backup pricing](https://azure.microsoft.com/pricing/details/backup/).
-
-### Which permissions are required to enable backup for a VM?
-
-If you're a VM contributor, you can enable backup on the VM. If you're using a custom role, you need the following permissions to enable backup on the VM:
--- Microsoft.RecoveryServices/Vaults/write-- Microsoft.RecoveryServices/Vaults/read-- Microsoft.RecoveryServices/locations/*-- Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/*/read-- Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/read-- Microsoft.RecoveryServices/Vaults/backupFabrics/protectionContainers/protectedItems/write-- Microsoft.RecoveryServices/Vaults/backupFabrics/backupProtectionIntent/write-- Microsoft.RecoveryServices/Vaults/backupPolicies/read-- Microsoft.RecoveryServices/Vaults/backupPolicies/write-
-If your Recovery Services vault and VM have different resource groups, make sure you have write permissions in the resource group for the Recovery Services vault.
-
-### Does an on-demand backup job use the same retention schedule as scheduled backups?
-
-No. Specify the retention range for an on-demand backup job. By default, it's retained for 30 days when triggered from the portal.
-
-### I recently enabled Azure Disk Encryption on some VMs. Will my backups continue to work?
-
-Provide permissions for Azure Backup to access the Key Vault. Specify the permissions in PowerShell as described in the **Enable backup** section in the [Azure Backup PowerShell](backup-azure-vms-automation.md) documentation.
-
-### I migrated VM disks to managed disks. Will my backups continue to work?
-
-Yes, backups work seamlessly. There's no need to reconfigure anything.
-
-### Why can't I see my VM in the Configure Backup wizard?
-
-The wizard only lists VMs in the same region as the vault, and that aren't already being backed up.
-
-### My VM is shut down. Will an on-demand or a scheduled backup work?
-
-Yes. Backups run when a machine is shut down. The recovery point is marked as crash consistent.
-
-### Can I cancel an in-progress backup job?
-
-Yes. You can cancel the backup job in a **Taking snapshot** state. You can't cancel a job if data transfer from the snapshot is in progress.
-
-### I enabled a lock on the resource group created by Azure Backup Service (for example, `AzureBackupRG_<geo>_<number>`). Will my backups continue to work?
-
-If you lock the resource group created by the Azure Backup Service, backups will start to fail as there's a maximum limit of 18 restore points.
-
-Remove the lock, and clear the restore point collection from that resource group to make the future backups successful. [Follow these steps](backup-azure-troubleshoot-vm-backup-fails-snapshot-timeout.md#clean-up-restore-point-collection-from-azure-portal) to remove the restore point collection.
-
-### I have a lock at the resource group level that contains all the resources related to my virtual machine. Will my backup work?
-
-Azure Backup creates a separate resource group in the format `AzureBackupRG_<geo>_<number>` to store ResourcePointCollections objects. Since this resource group is service owned, locking it will cause backups to fail. Locks can be only applied to customer-created resource groups.
-
-### Does Azure Backup support standard SSD-managed disks?
-
-Yes, Azure Backup supports [standard SSD managed disks](../virtual-machines/disks-types.md#standard-ssd).
-
-### Can we back up a VM with a Write Accelerator (WA)-enabled disk?
-
-Snapshots can be taken on only data disks which are WA enabled and not OS disks. So only data disks which are WA enabled can be protected.
-
-### I have a VM with Write Accelerator (WA) disks and SAP HANA installed. How do I back up?
-
-Azure Backup can back up the WA-enabled data disk. However, the backup won't provide database consistency.
-
-Azure Backup provides a streaming backup solution for SAP HANA databases with an RPO of 15 minutes. It's Backint certified by SAP to provide a native backup support leveraging SAP HANAΓÇÖs native APIs. Learn more [about backing up SAP HANA databases in Azure VMs](./sap-hana-db-about.md).
-
-### What is the maximum delay I can expect in backup start time from the scheduled backup time I have set in my VM backup policy?
-
-The scheduled backup will be triggered within 2 hours of the scheduled backup time. For example, If 100 VMs have their backup start time scheduled at 2:00 AM, then by 4:00 AM at the latest all the 100 VMs will have their backup job in progress. If scheduled backups have been paused because of an outage and resumed or retried, then the backup can start outside of this scheduled two-hour window.
-
-### What is the minimum allowed retention range for a daily backup point?
-
-Azure Virtual Machine backup policy supports a minimum retention range from seven days up to 9999 days. Any modification to an existing VM backup policy with less than seven days will require an update to meet the minimum retention range of seven days.
-
-### What happens if I change the case of the name of my VM or my VM resource group?
-
-If you change the case (to upper or lower) of your VM or VM resource group, the case of the backup item name won't change. However, this is expected Azure Backup behavior. The case change won't appear in the backup item, but is updated at the backend.
-
-### Can I back up or restore selective disks attached to a VM?
-
-Azure Backup now supports selective disk backup and restore using the Azure Virtual Machine backup solution. For more information, see [Selective disk backup and restore for Azure VMs](selective-disk-backup-restore.md).
-
-### Are managed identities preserved if a tenant change occurs during backup?
-
-If [tenant changes](/azure/devops/organizations/accounts/change-azure-ad-connection) occur, you're required to disable and re-enable [managed identities](../active-directory/managed-identities-azure-resources/overview.md) to make backups work again.
-
-### Does Azure Backup support backing up NFS files mounted from storage?
-
-Azure Backup doesn't support backing up NFS files that are mounted from storage, or from any other NFS server, to Linux or Windows machines. It only backs up disks which are locally attached to the VM.
-
-## Restore
-
-### How do I decide whether to restore disks only or a full VM?
-
-Think of a VM restore as a quick create option for an Azure VM. This option changes disk names, containers used by the disks, public IP addresses, and network interface names. The change maintains unique resources when a VM is created. The VM isn't added to an availability set.
-
-You can use the restore disk option if you want to:
--- Customize the VM that gets created. For example, change the size.-- Add configuration settings that weren't there at the time of backup.-- Control the naming convention for resources that are created.-- Add the VM to an availability set.-- Add any other setting that must be configured using PowerShell or a template.-
-### Can I restore backups of unmanaged VM disks after I upgrade to managed disks?
-
-Yes, you can use backups taken before disks were migrated from unmanaged to managed.
-
-### How do I restore a VM to a restore point before the VM was migrated to managed disks?
-
-The restore process remains the same. If the recovery point is of a point-in-time when VM had unmanaged disks, you can [restore disks as unmanaged](tutorial-restore-disk.md#unmanaged-disks-restore). If the VM had managed disks, then you can [restore disks as managed disks](tutorial-restore-disk.md#managed-disk-restore). Then you can [create a VM from those disks](tutorial-restore-disk.md#create-a-vm-from-the-restored-disk).
-
-[Learn more](backup-azure-vms-automation.md#restore-an-azure-vm) about doing this in PowerShell.
-
-### If the restore fails to create the VM, what happens to the disks included in the restore?
-
-In the event of a managed VM restore, even if the VM creation fails, the disks will still be restored.
-
-### Can I restore a VM that's been deleted?
-
-Yes. Even if you delete the VM, you can go to the corresponding backup item in the vault and restore from a recovery point.
-
-### How do I restore a VM to the same availability sets?
-
-For Managed Disk Azure VMs, restoring to the availability sets is enabled by providing an option in the template while restoring as managed disks. This template has the input parameter called **Availability sets**.
-
-### How do we get faster restore performances?
-
-[Instant Restore](backup-instant-restore-capability.md) capability helps with faster backups and instant restores from the snapshots.
-
-### What happens when we change the key vault settings for the encrypted VM?
-
-After you change the key vault settings for the encrypted VM, backups will continue to work with the new set of details. However, after the restore from a recovery point before the change, you'll have to restore the secrets in a key vault before you can create the VM from it. For more information, see this [article](./backup-azure-restore-key-secret.md).
-
-Operations like secret/key roll-over don't require this step and the same key vault can be used after restore.
-
-### Can I access the VM once restored due to a VM having broken relationship with domain controller?
-
-Yes, you access the VM once restored due to a VM having broken relationship with domain controller. For more information, see this [article](./backup-azure-arm-restore-vms.md#post-restore-steps).
-
-### Can I cancel an in-progress restore job?
-No, you cannot cancel the restore job that is in-progress.
-
-### Why restore operation is taking long time to complete?
-
-The total restore time depends on the Input/output operations per second (IOPS) and the throughput of the storage account. The total restore time can be affected if the target storage account is loaded with other application read and write operations. To improve restore operation, select a storage account that isn't loaded with other application data.
-
-### How do we handle "Create New Virtual Machine"-restore type conflicts with governance policies?
-
-Azure Backup uses "attach" disks from recovery points and doesn't look at your image references or galleries. So in the policy you can check "storageProfile.osDisk.createOption as Attach", and the script condition will be:
-
-`if (storageProfile.osDisk.createOption == "Attach") then { exclude <Policy> }`
-
-## Manage VM backups
-
-### What happens if I modify a backup policy?
-
-The VM is backed up using the schedule and retention settings in the modified or new policy.
--- If retention is extended, existing recovery points are marked and kept in accordance with the new policy.-- If retention is reduced, recovery points are marked for pruning in the next cleanup job, and subsequently deleted.-
-### How do I move a VM backed up by Azure Backup to a different resource group?
-
-1. Temporarily stop the backup and retain backup data.
-2. To move virtual machines configured with Azure Backup, do the following steps:
-
- 1. Find the location of your virtual machine.
- 2. Find a resource group with the following naming pattern: `AzureBackupRG_<location of your VM>_1`. For example, *AzureBackupRG_westus2_1*
- 3. In the Azure portal, check **Show hidden types**.
- 4. Find the resource with type **Microsoft.Compute/restorePointCollections** that has the naming pattern `AzureBackup_<name of your VM that you're trying to move>_###########`.
- 5. Delete this resource. This operation deletes only the instant recovery points, not the backed-up data in the vault.
- 6. After the delete operation is complete, you can move your virtual machine.
-
-3. Move the VM to the target resource group.
-4. Resume the backup.
-
-You can restore the VM from available restore points that were created before the move operation.
-
-### What happens after I move a VM to a different resource group?
-
-Once a VM is moved to a different resource group, it's a new VM as far as Azure Backup is concerned.
-
-After moving the VM to a new resource group, you can reprotect the VM either in the same vault or a different vault. Since this is a new VM for Azure Backup, you'll be billed for it separately.
-
-The old VM's restore points will be available for restore if needed. If you don't need this backup data, you can stop protecting your old VM with delete data.
-
-### Is there a limit on number of VMs that can be associated with the same backup policy?
-
-Yes, there's a limit of 100 VMs that can be associated to the same backup policy from the portal. We recommend that for more than 100 VMs, create multiple backup policies with same schedule or different schedule.
-
-### How can I view the retention settings for my backups?
-
-Currently, you can view retention settings at a backup item (VM) level based on the backup policy that's assigned to the VM.
-
-One way to view the retention settings for your backups, is to navigate to the backup item [dashboard](./backup-azure-manage-vms.md#view-vms-on-the-dashboard) for your VM, in the Azure portal. Selecting the link to its backup policy helps you view the retention duration of all the daily, weekly, monthly and yearly retention points associated with the VM.
-
-You can also use [Backup Explorer](./monitor-azure-backup-with-backup-explorer.md) to view the retention settings for all your VMs within a single pane of glass. Navigate to Backup Explorer from any Recovery Services vault, go to the **Backup Items** tab and select the Advanced View to see detailed retention information for each VM.
backup https://docs.microsoft.com/en-us/azure/backup/backup-azure-vms-automation https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/backup-azure-vms-automation.md a/articles/backup/backup-azure-vms-automation.md
@@ -224,7 +224,7 @@ NewPolicy AzureVM AzureVM 4/24/2016 1:30:00 AM
Once you've defined the protection policy, you still must enable the policy for an item. Use [Enable-AzRecoveryServicesBackupProtection](/powershell/module/az.recoveryservices/enable-azrecoveryservicesbackupprotection) to enable protection. Enabling protection requires two objects - the item and the policy. Once the policy has been associated with the vault, the backup workflow is triggered at the time defined in the policy schedule. > [!IMPORTANT]
-> While using PowerShell to enable backup for multiple VMs at once, ensure that a single policy doesn't have more than 100 VMs associated with it. This is a [recommended best practice](./backup-azure-vm-backup-faq.md#is-there-a-limit-on-number-of-vms-that-can-beassociated-with-the-same-backup-policy). Currently, the PowerShell client doesn't explicitly block if there are more than 100 VMs, but the check is planned to be added in the future.
+> While using PowerShell to enable backup for multiple VMs at once, ensure that a single policy doesn't have more than 100 VMs associated with it. This is a [recommended best practice](./backup-azure-vm-backup-faq.yml#is-there-a-limit-on-number-of-vms-that-can-be-associated-with-the-same-backup-policy). Currently, the PowerShell client doesn't explicitly block if there are more than 100 VMs, but the check is planned to be added in the future.
The following examples enable protection for the item, V2VM, using the policy, NewPolicy. The examples differ based on whether the VM is encrypted, and what type of encryption.
backup https://docs.microsoft.com/en-us/azure/backup/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/policy-reference.md a/articles/backup/policy-reference.md
@@ -1,7 +1,7 @@
Title: Built-in policy definitions for Azure Backup description: Lists Azure Policy built-in policy definitions for Azure Backup. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
backup https://docs.microsoft.com/en-us/azure/backup/quick-backup-vm-cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/quick-backup-vm-cli.md a/articles/backup/quick-backup-vm-cli.md
@@ -66,7 +66,7 @@ az backup protection enable-for-vm \
``` > [!IMPORTANT]
-> While using CLI to enable backup for multiple VMs at once, ensure that a single policy doesn't have more than 100 VMs associated with it. This is a [recommended best practice](./backup-azure-vm-backup-faq.md#is-there-a-limit-on-number-of-vms-that-can-beassociated-with-the-same-backup-policy). Currently, the PowerShell client doesn't explicitly block if there are more than 100 VMs, but the check is planned to be added in the future.
+> While using CLI to enable backup for multiple VMs at once, ensure that a single policy doesn't have more than 100 VMs associated with it. This is a [recommended best practice](./backup-azure-vm-backup-faq.yml#is-there-a-limit-on-number-of-vms-that-can-be-associated-with-the-same-backup-policy). Currently, the PowerShell client doesn't explicitly block if there are more than 100 VMs, but the check is planned to be added in the future.
## Start a backup job
backup https://docs.microsoft.com/en-us/azure/backup/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/security-controls-policy.md a/articles/backup/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure Backup description: Lists Azure Policy Regulatory Compliance controls available for Azure Backup. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
backup https://docs.microsoft.com/en-us/azure/backup/selective-disk-backup-restore https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/backup/selective-disk-backup-restore.md a/articles/backup/selective-disk-backup-restore.md
@@ -332,4 +332,4 @@ Selective disk backup feature is a capability provided on top of the Azure virtu
## Next steps - [Support matrix for Azure VM backup](backup-support-matrix-iaas.md)-- [Frequently asked questions-Back up Azure VMs](backup-azure-vm-backup-faq.md)
+- [Frequently asked questions-Back up Azure VMs](backup-azure-vm-backup-faq.yml)
batch https://docs.microsoft.com/en-us/azure/batch/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/batch/policy-reference.md a/articles/batch/policy-reference.md
@@ -1,7 +1,7 @@
Title: Built-in policy definitions for Azure Batch description: Lists Azure Policy built-in policy definitions for Azure Batch. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
batch https://docs.microsoft.com/en-us/azure/batch/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/batch/security-controls-policy.md a/articles/batch/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure Batch description: Lists Azure Policy Regulatory Compliance controls available for Azure Batch. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
cloud-services-extended-support https://docs.microsoft.com/en-us/azure/cloud-services-extended-support/deploy-portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services-extended-support/deploy-portal.md a/articles/cloud-services-extended-support/deploy-portal.md
@@ -1,5 +1,5 @@
Title: Deploy an Azure Cloud Service (extended support) - Azure portal
+ Title: Deploy a Azure Cloud Service (extended support) - Azure portal
description: Deploy an Azure Cloud Service (extended support) using the Azure portal
@@ -10,7 +10,7 @@ Last updated 10/13/2020
-# Deploy Azure Cloud Services (extended support) using the Azure portal
+# Deploy a Azure Cloud Services (extended support) using the Azure portal
This article explains how to use the Azure portal to create a Cloud Service (extended support) deployment. > [!IMPORTANT]
@@ -18,19 +18,22 @@ This article explains how to use the Azure portal to create a Cloud Service (ext
> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. > For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-1. Review the [deployment prerequisites](deploy-prerequisite.md) for Cloud Services (extended support) and create the associated resources.
+## Before you begin
-2. Sign in to the [Azure portal](https://portal.azure.com)
+Review the [deployment prerequisites](deploy-prerequisite.md) for Cloud Services (extended support) and create the associated resources.
-3. Using the search bar located at the top of the Azure portal, search for and select **Cloud Services (extended support)**.
+## Deploy a Cloud Services (extended support)
+1. Sign in to the [Azure portal](https://portal.azure.com)
+
+2. Using the search bar located at the top of the Azure portal, search for and select **Cloud Services (extended support)**.
:::image type="content" source="media/deploy-portal-1.png" alt-text="Image shows the all resources blade in the Azure portal.":::
-4. In the Cloud Services (extended support) pane select **Create**.
+3. In the Cloud Services (extended support) pane select **Create**.
:::image type="content" source="media/deploy-portal-2.png" alt-text="Image shows purchasing a cloud service from the marketplace.":::
-5. The Cloud Services (extended support) creation window will open to the **Basics** tab.
+4. The Cloud Services (extended support) creation window will open to the **Basics** tab.
- Select a Subscription. - Choose a resource group or create a new one. - Enter the desired name for your Cloud Service (extended support) deployment.
@@ -39,11 +42,11 @@ This article explains how to use the Azure portal to create a Cloud Service (ext
:::image type="content" source="media/deploy-portal-3.png" alt-text="Image shows the Cloud Services (extended support) home blade.":::
-6. Add your cloud service configuration, package and definition files. You can add existing files from blob storage or upload these from your local machine. If uploading from your local machine, these will be then be stored in a storage account.
+5. Add your cloud service configuration, package and definition files. You can add existing files from blob storage or upload these from your local machine. If uploading from your local machine, these will be then be stored in a storage account.
:::image type="content" source="media/deploy-portal-4.png" alt-text="Image shows the upload section of the basics tab during creation.":::
-7. Once all fields have been completed, move to and complete the **Configuration** tab.
+6. Once all fields have been completed, move to and complete the **Configuration** tab.
- Select a virtual network to associate with the Cloud Service or create a new one. - Cloud Service (extended support) deployments **must** be in a virtual network. The virtual network **must** also be referenced in the Service Configuration (.cscfg) file under the `NetworkConfiguration` section. - Select an existing public IP address to associate with the Cloud Service or create a new one.
@@ -57,8 +60,9 @@ This article explains how to use the Azure portal to create a Cloud Service (ext
:::image type="content" source="media/deploy-portal-5.png" alt-text="Image shows the configuration blade in the Azure portal when creating a Cloud Services (extended support).":::
-8. Once all fields have been completed, move to the **Review and Create** tab to validate your deployment configuration and create your Cloud Service (extended support).
+7. Once all fields have been completed, move to the **Review and Create** tab to validate your deployment configuration and create your Cloud Service (extended support).
## Next steps - Review [frequently asked questions](faq.md) for Cloud Services (extended support).-- Deploy a Cloud Service (extended support) using the [Azure portal](deploy-portal.md), [PowerShell](deploy-powershell.md), [Template](deploy-template.md) or [Visual Studio](deploy-visual-studio.md).\ No newline at end of file
+- Deploy a Cloud Service (extended support) using the [Azure portal](deploy-portal.md), [PowerShell](deploy-powershell.md), [Template](deploy-template.md) or [Visual Studio](deploy-visual-studio.md).
+- Visit the [Cloud Services (extended support) samples repository](https://github.com/Azure-Samples/cloud-services-extended-support)
\ No newline at end of file
cloud-services-extended-support https://docs.microsoft.com/en-us/azure/cloud-services-extended-support/deploy-powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services-extended-support/deploy-powershell.md a/articles/cloud-services-extended-support/deploy-powershell.md
@@ -10,7 +10,7 @@ Last updated 10/13/2020
-# Create a Cloud Service (extended support) using Azure PowerShell
+# Deploy a Cloud Service (extended support) using Azure PowerShell
This article shows how to use the `Az.CloudService` PowerShell module to deploy Cloud Services (extended support) in Azure that has multiple roles (WebRole and WorkerRole) and remote desktop extension.
@@ -19,28 +19,31 @@ This article shows how to use the `Az.CloudService` PowerShell module to deploy
> This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. > For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
-1. Review the [deployment prerequisites](deploy-prerequisite.md) for Cloud Services (extended support) and create the associated resources.
+## Before you begin
-3. Install Az.CloudService PowerShell module
+Review the [deployment prerequisites](deploy-prerequisite.md) for Cloud Services (extended support) and create the associated resources.
+
+## Deploy a Cloud Services (extended support)
+1. Install Az.CloudService PowerShell module
```powershell Install-Module -Name Az.CloudService ```
-4. Create a new resource group. This step is optional if using an existing resource group.
+2. Create a new resource group. This step is optional if using an existing resource group.
```powershell New-AzResourceGroup -ResourceGroupName ΓÇ£ContosOrgΓÇ¥ -Location ΓÇ£East USΓÇ¥ ```
-5. Create a storage account and container which will be used to store the Cloud Service package (.cspkg) and Service Configuration (.cscfg) files. You must use a unique name for storage account name.
+3. Create a storage account and container which will be used to store the Cloud Service package (.cspkg) and Service Configuration (.cscfg) files. You must use a unique name for storage account name.
```powershell $storageAccount = New-AzStorageAccount -ResourceGroupName ΓÇ£ContosOrgΓÇ¥ -Name ΓÇ£contosostorageaccountΓÇ¥ -Location ΓÇ£East USΓÇ¥ -SkuName ΓÇ£Standard_RAGRSΓÇ¥ -Kind ΓÇ£StorageV2ΓÇ¥ $container = New-AzStorageContainer -Name ΓÇ£ContosoContainerΓÇ¥ -Context $storageAccount.Context -Permission Blob ```
-6. Upload your Cloud Service package (cspkg) to the storage account.
+4. Upload your Cloud Service package (cspkg) to the storage account.
```powershell $tokenStartTime = Get-Date
@@ -51,7 +54,7 @@ This article shows how to use the `Az.CloudService` PowerShell module to deploy
```
-7. Upload your cloud service configuration (cscfg) to the storage account.
+5. Upload your cloud service configuration (cscfg) to the storage account.
```powershell $cscfgBlob = Set-AzStorageBlobContent -File ΓÇ£./ContosoApp/ContosoApp.cscfgΓÇ¥ -Container ContosoContainer -Blob ΓÇ£ContosoApp.cscfgΓÇ¥ -Context $storageAccount.Context
@@ -59,20 +62,20 @@ This article shows how to use the `Az.CloudService` PowerShell module to deploy
$cscfgUrl = $cscfgBlob.ICloudBlob.Uri.AbsoluteUri + $cscfgToken ```
-8. Create a virtual network and subnet. This step is optional if using an existing network and subnet. This example uses a single virtual network and subnet for both cloud service roles (WebRole and WorkerRole).
+6. Create a virtual network and subnet. This step is optional if using an existing network and subnet. This example uses a single virtual network and subnet for both cloud service roles (WebRole and WorkerRole).
```powershell $subnet = New-AzVirtualNetworkSubnetConfig -Name "ContosoWebTier1" -AddressPrefix "10.0.0.0/24" -WarningAction SilentlyContinue $virtualNetwork = New-AzVirtualNetwork -Name ΓÇ£ContosoVNetΓÇ¥ -Location ΓÇ£East USΓÇ¥ -ResourceGroupName ΓÇ£ContosOrgΓÇ¥ -AddressPrefix "10.0.0.0/24" -Subnet $subnet ```
-9. Create a public IP address and (optionally) set the DNS label property of the public IP address. If you are using a static IP, it needs to referenced as a Reserved IP in Service Configuration file.
+7. Create a public IP address and (optionally) set the DNS label property of the public IP address. If you are using a static IP, it needs to referenced as a Reserved IP in Service Configuration file.
```powershell $publicIp = New-AzPublicIpAddress -Name ΓÇ£ContosIpΓÇ¥ -ResourceGroupName ΓÇ£ContosOrgΓÇ¥ -Location ΓÇ£East USΓÇ¥ -AllocationMethod Dynamic -IpAddressVersion IPv4 -DomainNameLabel ΓÇ£contosoappdnsΓÇ¥ -Sku Basic ```
-10. Create Network Profile Object and associate public IP address to the frontend of the platform created load balancer.
+8. Create Network Profile Object and associate public IP address to the frontend of the platform created load balancer.
```powershell $publicIP = Get-AzPublicIpAddress -ResourceGroupName ContosOrg -Name ContosIp
@@ -81,13 +84,13 @@ This article shows how to use the `Az.CloudService` PowerShell module to deploy
$networkProfile = @{loadBalancerConfiguration = $loadBalancerConfig} ```
-11. Create a Key Vault. This Key Vault will be used to store certificates that are associated with the Cloud Service (extended support) roles. The Key Vault must be located in the same region and subscription as cloud service and have a unique name. For more information see [Use certificates with Azure Cloud Services (extended support)](certificates-and-key-vault.md).
+9. Create a Key Vault. This Key Vault will be used to store certificates that are associated with the Cloud Service (extended support) roles. The Key Vault must be located in the same region and subscription as cloud service and have a unique name. For more information see [Use certificates with Azure Cloud Services (extended support)](certificates-and-key-vault.md).
```powershell New-AzKeyVault -Name "ContosKeyVaultΓÇ¥ -ResourceGroupName ΓÇ£ContosoOrgΓÇ¥ -Location ΓÇ£East USΓÇ¥ ```
-13. Update the Key Vault access policy and grant certificate permissions to your user account.
+10. Update the Key Vault access policy and grant certificate permissions to your user account.
```powershell Set-AzKeyVaultAccessPolicy -VaultName 'ContosKeyVault' -ResourceGroupName 'ContosoOrg' -UserPrincipalName 'user@domain.com' -PermissionsToCertificates create,get,list,delete
@@ -100,14 +103,14 @@ This article shows how to use the `Az.CloudService` PowerShell module to deploy
```
-14. For the purpose of this example we will add a self signed certificate to a Key Vault. The certificate thumbprint needs to be added in Cloud Service Configuration (.cscfg) file for deployment on cloud service roles.
+11. For the purpose of this example we will add a self signed certificate to a Key Vault. The certificate thumbprint needs to be added in Cloud Service Configuration (.cscfg) file for deployment on cloud service roles.
```powershell $Policy = New-AzKeyVaultCertificatePolicy -SecretContentType "application/x-pkcs12" -SubjectName "CN=contoso.com" -IssuerName "Self" -ValidityInMonths 6 -ReuseKeyOnRenewal Add-AzKeyVaultCertificate -VaultName "ContosKeyVault" -Name "ContosCert" -CertificatePolicy $Policy ```
-15. Create an OS Profile in-memory object. OS Profile specifies the certificates which are associated to cloud service roles. This will be the same certificate created in the previous step.
+12. Create an OS Profile in-memory object. OS Profile specifies the certificates which are associated to cloud service roles. This will be the same certificate created in the previous step.
```powershell $keyVault = Get-AzKeyVault -ResourceGroupName ContosOrg -VaultName ContosKeyVault
@@ -116,7 +119,7 @@ This article shows how to use the `Az.CloudService` PowerShell module to deploy
$osProfile = @{secret = @($secretGroup)} ```
-16. Create a Role Profile in-memory object. Role profile defines a roles sku specific properties such as name, capacity and tier. For this example, we have defined two roles: frontendRole and backendRole. Role profile information should match the role configuration defined in configuration (cscfg) file and service definition (csdef) file.
+13. Create a Role Profile in-memory object. Role profile defines a roles sku specific properties such as name, capacity and tier. For this example, we have defined two roles: frontendRole and backendRole. Role profile information should match the role configuration defined in configuration (cscfg) file and service definition (csdef) file.
```powershell $frontendRole = New-AzCloudServiceRoleProfilePropertiesObject -Name 'ContosoFrontend' -SkuName 'Standard_D1_v2' -SkuTier 'Standard' -SkuCapacity 2
@@ -124,7 +127,7 @@ This article shows how to use the `Az.CloudService` PowerShell module to deploy
$roleProfile = @{role = @($frontendRole, $backendRole)} ```
-17. (Optional) Create a Extension Profile in-memory object that you want to add to your cloud service. For this example we will add RDP extension.
+14. (Optional) Create a Extension Profile in-memory object that you want to add to your cloud service. For this example we will add RDP extension.
```powershell $credential = Get-Credential
@@ -134,13 +137,13 @@ This article shows how to use the `Az.CloudService` PowerShell module to deploy
$wadExtension = New-AzCloudServiceDiagnosticsExtension -Name "WADExtension" -ResourceGroupName "ContosOrg" -CloudServiceName "ContosCS" -StorageAccountName "ContosSA" -StorageAccountKey $storageAccountKey[0].Value -DiagnosticsConfigurationPath $configFile -TypeHandlerVersion "1.5" -AutoUpgradeMinorVersion $true $extensionProfile = @{extension = @($rdpExtension, $wadExtension)} ```
-18. (Optional) Define Tags as PowerShell hash table which you want to add to your cloud service.
+15. (Optional) Define Tags as PowerShell hash table which you want to add to your cloud service.
```powershell $tag=@{"Owner" = "Contoso"} ```
-19. Create Cloud Service deployment using profile objects & SAS URLs.
+17. Create Cloud Service deployment using profile objects & SAS URLs.
```powershell $cloudService = New-AzCloudService `
@@ -160,3 +163,4 @@ This article shows how to use the `Az.CloudService` PowerShell module to deploy
## Next steps - Review [frequently asked questions](faq.md) for Cloud Services (extended support). - Deploy a Cloud Service (extended support) using the [Azure portal](deploy-portal.md), [PowerShell](deploy-powershell.md), [Template](deploy-template.md) or [Visual Studio](deploy-visual-studio.md).
+- Visit the [Cloud Services (extended support) samples repository](https://github.com/Azure-Samples/cloud-services-extended-support)
cloud-services-extended-support https://docs.microsoft.com/en-us/azure/cloud-services-extended-support/deploy-prerequisite https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services-extended-support/deploy-prerequisite.md a/articles/cloud-services-extended-support/deploy-prerequisite.md
@@ -122,3 +122,4 @@ Key Vault is used to store certificates that are associated to Cloud Services (e
- Review the [deployment prerequisites](deploy-prerequisite.md) for Cloud Services (extended support). - Deploy a Cloud Service (extended support) using the [Azure portal](deploy-portal.md), [PowerShell](deploy-powershell.md), [Template](deploy-template.md) or [Visual Studio](deploy-visual-studio.md). - Review [frequently asked questions](faq.md) for Cloud Services (extended support).
+- Visit the [Cloud Services (extended support) samples repository](https://github.com/Azure-Samples/cloud-services-extended-support)
\ No newline at end of file
cloud-services-extended-support https://docs.microsoft.com/en-us/azure/cloud-services-extended-support/deploy-sdk https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services-extended-support/deploy-sdk.md new file mode 100644 /dev/null
@@ -0,0 +1,336 @@
+
+ Title: Deploy a Cloud Service (extended support) - SDK
+description: Deploy a Cloud Service (extended support) using the Azure SDK
+++++ Last updated : 10/13/2020+++
+# Deploy a Cloud Services (extended support) using SDK
+
+This article shows how to use the [Azure SDK](https://azure.microsoft.com/downloads/) to deploy Cloud Services (extended support) that has multiple roles (WebRole and WorkerRole) and the remote desktop extension.
+
+> [!IMPORTANT]
+> Cloud Services (extended support) is currently in public preview. This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities. For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
+
+## Before you begin
+
+Review the [deployment prerequisites](deploy-prerequisite.md) for Cloud Services (extended support) and create associated resources.
+
+## Deploy a Cloud Services (extended support)
+1. Install the [Azure Compute SDK NuGet package](https://www.nuget.org/packages/Microsoft.Azure.Management.Compute/43.0.0-preview) and initialize the client using a standard authentication mechanism.
+
+ ```csharp
+ public class CustomLoginCredentials : ServiceClientCredentials
+ {
+ private string AuthenticationToken { get; set; }
+ public override void InitializeServiceClient<T>(ServiceClient<T> client)
+ {
+ var authenticationContext = new AuthenticationContext("https://login.windows.net/{tenantID}");
+ var credential = new ClientCredential(clientId: "{clientID}", clientSecret: "{clientSecret}");
+ var result = authenticationContext.AcquireTokenAsync(resource: "https://management.core.windows.net/", clientCredential: credential);
+ if (result == null) throw new InvalidOperationException("Failed to obtain the JWT token");
+ AuthenticationToken = result.Result.AccessToken;
+ }
+ public override async Task ProcessHttpRequestAsync(HttpRequestMessage request, CancellationToken cancellationToken)
+ {
+ if (request == null) throw new ArgumentNullException("request");
+ if (AuthenticationToken == null) throw new InvalidOperationException("Token Provider Cannot Be Null");
+ request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", AuthenticationToken);
+ request.Headers.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
+ //request.Version = new Version(apiVersion);
+ await base.ProcessHttpRequestAsync(request, cancellationToken);
+ }
+
+ var creds = new CustomLoginCredentials();
+ m_subId = Environment.GetEnvironmentVariable("AZURE_SUBSCRIPTION_ID");
+ ResourceManagementClient m_ResourcesClient = new ResourceManagementClient(creds);
+ NetworkManagementClient m_NrpClient = new NetworkManagementClient(creds);
+ ComputeManagementClient m_CrpClient = new ComputeManagementClient(creds);
+ StorageManagementClient m_SrpClient = new StorageManagementClient(creds);
+ m_ResourcesClient.SubscriptionId = m_subId;
+ m_NrpClient.SubscriptionId = m_subId;
+ m_CrpClient.SubscriptionId = m_subId;
+ m_SrpClient.SubscriptionId = m_subId;
+ ```
+
+2. Create a new resource group by installing the Azure Resource Manager NuGet package.
+
+ ```csharp
+ var resourceGroups = m_ResourcesClient.ResourceGroups;
+ var m_location = ΓÇ£East USΓÇ¥;
+ var resourceGroupName = "ContosoRG";//provide existing resource group name, if created already
+ var resourceGroup = new ResourceGroup(m_location);
+ resourceGroup = await resourceGroups.CreateOrUpdateAsync(resourceGroupName, resourceGroup);
+ ```
+
+3. Create a storage account and container which will be used to store the Cloud Service package (.cspkg) and Service Configuration (.cscfg) files. Install the [Azure Storage NuGet package](https://www.nuget.org/packages/Azure.Storage.Common/). This step is optional if using an existing storage account. The storage account name must be unique.
+
+ ```csharp
+ string storageAccountName = ΓÇ£ContosoSASΓÇ¥
+ var stoInput = new StorageAccountCreateParameters
+ {
+ Location = m_location,
+ Kind = Microsoft.Azure.Management.Storage.Models.Kind.StorageV2,
+ Sku = new Microsoft.Azure.Management.Storage.Models.Sku(SkuName.StandardRAGRS),
+ };
+ StorageAccount storageAccountOutput = m_SrpClient.StorageAccounts.Create(rgName,
+ storageAccountName, stoInput);
+ bool created = false;
+ while (!created)
+ {
+ Thread.Sleep(600);
+ var stos = m_SrpClient.StorageAccounts.ListByResourceGroup(rgName);
+ created =
+ stos.Any(
+ t =>
+ StringComparer.OrdinalIgnoreCase.Equals(t.Name, storageAccountName));
+ }
+
+ StorageAccount storageAccountOutput = m_SrpClient.StorageAccounts.GetProperties(rgName, storageAccountName);.
+ var accountKeyResult = m_SrpClient.StorageAccounts.ListKeysWithHttpMessagesAsync(rgName, storageAccountName).Result;
+ CloudStorageAccount storageAccount = new CloudStorageAccount(new StorageCredentials(storageAccountName, accountKeyResult.Body.Keys.FirstOrDefault(). Value), useHttps: true);
+
+ var blobClient = storageAccount.CreateCloudBlobClient();
+ CloudBlobContainer container = blobClient.GetContainerReference("sascontainer");
+ container.CreateIfNotExistsAsync().Wait();
+ sharedAccessBlobPolicy sasConstraints = new SharedAccessBlobPolicy();
+ sasConstraints.SharedAccessStartTime = DateTime.UtcNow.AddDays(-1);
+ sasConstraints.SharedAccessExpiryTime = DateTime.UtcNow.AddDays(2);
+ sasConstraints.Permissions = SharedAccessBlobPermissions.Read | SharedAccessBlobPermissions.Write;
+ ```
+
+4. Upload the Cloud Service package (.cspkg) file to the storage account. The package URL can be a Shared Access Signature (SAS) URI from any storage account.
+
+ ```csharp
+ CloudBlockBlob cspkgblockBlob = container.GetBlockBlobReference(ΓÇ£ContosoApp.cspkgΓÇ¥);
+ cspkgblockBlob.UploadFromFileAsync(ΓÇ£./ContosoApp/ContosoApp.cspkgΓÇ¥). Wait();
+
+ //Generate the shared access signature on the blob, setting the constraints directly on the signature.
+ string cspkgsasContainerToken = cspkgblockBlob.GetSharedAccessSignature(sasConstraints);
+
+ //Return the URI string for the container, including the SAS token.
+ string cspkgSASUrl = cspkgblockBlob.Uri + cspkgsasContainerToken;
+ ```
+
+5. Upload your cloud service configuration (.cscfg) to the storage account. Service Configuration can be specified either as string XML or URL format.
+
+ ```csharp
+ CloudBlockBlob cscfgblockBlob = container.GetBlockBlobReference(ΓÇ£ContosoApp.cscfgΓÇ¥);
+ cscfgblockBlob.UploadFromFileAsync(ΓÇ£./ContosoApp/ContosoApp.cscfgΓÇ¥). Wait();
+
+ //Generate the shared access signature on the blob, setting the constraints directly on the signature.
+ string sasCscfgContainerToken = cscfgblockBlob.GetSharedAccessSignature(sasConstraints);
+
+ //Return the URI string for the container, including the SAS token.
+ string cscfgSASUrl = cscfgblockBlob.Uri + sasCscfgContainerToken;
+ ```
+
+6. Create a virtual network and subnet. Install the [Azure Network NuGet package](https://www.nuget.org/packages/Azure.ResourceManager.Network/). This step is optional if using an existing network and subnet.
+
+ ```csharp
+ VirtualNetwork vnet = new VirtualNetwork(name: vnetName)
+ {
+ AddressSpace = new AddressSpace
+ {
+ AddressPrefixes = new List<string> { "10.0.0.0/16" }
+ },
+ Subnets = new List<Subnet>
+ {
+ new Subnet(name: subnetName)
+ {
+ AddressPrefix = "10.0.0.0/24"
+ }
+ },
+ Location = m_location
+ };
+ m_NrpClient.VirtualNetworks.CreateOrUpdate(resourceGroupName, ΓÇ£ContosoVNetΓÇ¥, vnet);
+ ```
+
+7. Create a public IP address and (optionally) set the DNS label property of the public IP address. If you are using a static IP, it needs to referenced as a Reserved IP in Service Configuration file.
+
+ ```csharp
+ PublicIPAddress publicIPAddressParams = new PublicIPAddress(name: ΓÇ£ContosIpΓÇ¥)
+ {
+ Location = m_location,
+ PublicIPAllocationMethod = IPAllocationMethod.Dynamic,
+ DnsSettings = new PublicIPAddressDnsSettings()
+ {
+ DomainNameLabel = ΓÇ£contosoappdnsΓÇ¥
+ }
+ };
+ PublicIPAddress publicIpAddress = m_NrpClient.PublicIPAddresses.CreateOrUpdate(resourceGroupName, publicIPAddressName, publicIPAddressParams);
+ ```
+
+8. Create Network Profile Object and associate public IP address to the frontend of the platform created load balancer.
+
+ ```csharp
+ LoadBalancerFrontendIPConfiguration feipConfiguration = new LoadBalancerFrontendIPConfiguration()
+ {
+ Name = ΓÇ£ContosoFeΓÇ¥,
+ Properties = new LoadBalancerFrontendIPConfigurationProperties()
+ {
+ PublicIPAddress = new CM.SubResource()
+ {
+ Id = $"/subscriptions/{m_subId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/publicIPAddresses/{publicIPAddressName}",
+ }
+ }
+ };
+
+ CloudServiceNetworkProfile cloudServiceNetworkProfile = new CloudServiceNetworkProfile()
+ {
+ LoadBalancerConfigurations = new List<LoadBalancerConfiguration>()
+ {
+ new LoadBalancerConfiguration()
+ {
+ Name = 'ContosoLB',
+ Properties = new LoadBalancerConfigurationProperties()
+ {
+ FrontendIPConfigurations = new List<LoadBalancerFrontendIPConfiguration>()
+ {
+ feipConfig
+ }
+ }
+ }
+ }
+ };
+
+ ```
+
+9. Create a Key Vault. This Key Vault will be used to store certificates that are associated with the Cloud Service (extended support) roles. The Key Vault must be located in the same region and subscription as cloud service and have a unique name. For more information, see [Use certificates with Azure Cloud Services (extended support)](certificates-and-key-vault.md).
+
+ ```powershell
+ New-AzKeyVault -Name "ContosKeyVaultΓÇ¥ -ResourceGroupName ΓÇ£ContosoOrgΓÇ¥ -Location ΓÇ£East USΓÇ¥
+ ```
+
+10. Update the Key Vault access policy and grant certificate permissions to your user account.
+
+ ```powershell
+ Set-AzKeyVaultAccessPolicy -VaultName 'ContosKeyVault' -ResourceGroupName 'ContosoOrg' -UserPrincipalName 'user@domain.com' -PermissionsToCertificates create,get,list,delete
+ ```
+
+ Alternatively, set access policy via ObjectId (which can be obtained by running Get- AzADUser)
+
+ ```powershell
+ Set-AzKeyVaultAccessPolicy -VaultName 'ContosKeyVault' -ResourceGroupName 'ContosOrg' - ObjectId 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' -PermissionsToCertificates create,get,list,delete
+ ```
+
+11. In this example we will add a self-signed certificate to a Key Vault. The certificate thumbprint needs to be added in Cloud Service Configuration (.cscfg) file for deployment on cloud service roles.
+
+ ```powershell
+ $Policy = New-AzKeyVaultCertificatePolicy -SecretContentType "application/x-pkcs12" - SubjectName "CN=contoso.com" -IssuerName "Self" -ValidityInMonths 6 -ReuseKeyOnRenewal
+ Add-AzKeyVaultCertificate -VaultName "ContosKeyVault" -Name "ContosCert" - CertificatePolicy $Policy
+ ```
+
+12. Create an OS Profile object. OS Profile specifies the certificates, which are associated to cloud service roles. This will be the same certificate created in the previous step.
+
+ ```csharp
+ CloudServiceOsProfile cloudServiceOsProfile =
+ new CloudServiceOsProfile
+ {
+ Secrets = new List<CloudServiceVaultSecretGroup>
+ {
+ New CloudServiceVaultSecretGroup {
+ SourceVault = <sourceVault>,
+ VaultCertificates = <vaultCertificates>
+ }
+ }
+ };
+ ```
+
+13. Create a Role Profile object. Role profile defines a role sku specific properties such as name, capacity and tier. In this example, we have defined two roles: frontendRole and backendRole. Role profile information should match the role configuration defined in configuration (cscfg) file and service definition (csdef) file.
+
+ ```csharp
+ CloudServiceRoleProfile cloudServiceRoleProfile = new CloudServiceRoleProfile()
+ {
+ Roles = new List<CloudServiceRoleProfileProperties>();
+
+ // foreach role in cloudService
+ roles.Add(new CloudServiceRoleProfileProperties()
+ {
+ Name = 'ContosoFrontend',
+ Sku = new CloudServiceRoleSku
+ {
+ Name = 'Standard_D1_v2',
+ Capacity = 2,
+ Tier = 'Standard'
+ }
+ );
+
+ roles.Add(new CloudServiceRoleProfileProperties()
+ {
+ Name = 'ContosoBackend',
+ Sku = new CloudServiceRoleSku
+ {
+ Name = 'Standard_D1_v2',
+ Capacity = 2,
+ Tier = 'Standard'
+ }
+ );
+
+ }
+ }
+ ```
+
+14. (Optional) Create an Extension Profile object that you want to add to your cloud service. In this example we will add RDP extension.
+
+ ```csharp
+ string rdpExtensionPublicConfig = "<PublicConfig>" +
+ "<UserName>adminRdpTest</UserName>" +
+ "<Expiration>2021-10-27T23:59:59</Expiration>" +
+ "</PublicConfig>";
+ string rdpExtensionPrivateConfig = "<PrivateConfig>" +
+ "<Password>VsmrdpTest!</Password>" +
+ "</PrivateConfig>";
+
+ Extension rdpExtension = new Extension
+ {
+ Name = name,
+ Properties = new CloudServiceExtensionProperties
+ {
+ Publisher = "Microsoft.Windows.Azure.Extensions",
+ Type = "RDP",
+ TypeHandlerVersion = "1.2.1",,
+ AutoUpgradeMinorVersion = true,
+ Settings = rdpExtensionPublicConfig,
+ ProtectedSettings = rdpExtensionPrivateConfig,
+ RolesAppliedTo = [ΓÇ£*ΓÇ¥],
+ }
+ };
+
+ CloudServiceExtensionProfile cloudServiceExtensionProfile = new CloudServiceExtensionProfile
+ {
+ Extensions = rdpExtension
+ };
+ ```
+
+15. Create Cloud Service deployment.
+
+ ```csharp
+ CloudService cloudService = new CloudService
+ {
+ Properties = new CloudServiceProperties
+ {
+ RoleProfile = cloudServiceRoleProfile
+ Configuration = < Add Cscfg xml content here>,
+ // ConfigurationUrl = <Add you configuration URL here>,
+ PackageUrl = <Add cspkg SAS url here>,
+ ExtensionProfile = cloudServiceExtensionProfile,
+ OsProfile= cloudServiceOsProfile,
+ NetworkProfile = cloudServiceNetworkProfile,
+ UpgradeMode = 'Auto'
+ },
+ Location = m_location
+ };
+
+ CloudService createOrUpdateResponse = m_CrpClient.CloudServices.CreateOrUpdate(ΓÇ£ContosOrgΓÇ¥, ΓÇ£ContosoCSΓÇ¥, cloudService);
+ ```
+
+## Next steps
+- Review [frequently asked questions](faq.md) for Cloud Services (extended support).
+- Deploy a Cloud Service (extended support) using the [Azure portal](deploy-portal.md), [PowerShell](deploy-powershell.md), [Template](deploy-template.md) or [Visual Studio](deploy-visual-studio.md).
+- Visit the [Cloud Services (extended support) samples repository](https://github.com/Azure-Samples/cloud-services-extended-support)
\ No newline at end of file
cloud-services-extended-support https://docs.microsoft.com/en-us/azure/cloud-services-extended-support/deploy-template https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services-extended-support/deploy-template.md a/articles/cloud-services-extended-support/deploy-template.md
@@ -1,6 +1,6 @@
Title: Create an Azure Cloud Service (extended support) - Templates
-description: Create an Azure Cloud Service (extended support) by using ARM templates
+ Title: Deploy a Azure Cloud Service (extended support) - Templates
+description: Deploy a Azure Cloud Service (extended support) by using ARM templates
@@ -10,7 +10,7 @@ Last updated 10/13/2020
-# Create a Cloud Service (extended support) using ARM templates
+# Deploy a Cloud Service (extended support) using ARM templates
This tutorial explains how to create a Cloud Service (extended support) deployment using [ARM templates](https://docs.microsoft.com/azure/azure-resource-manager/templates/overview).
@@ -35,7 +35,7 @@ This tutorial explains how to create a Cloud Service (extended support) deployme
- The associated Key Vault for must be enabled appropriate permissions so that Cloud Services (extended support) resource can retrieve certificate from Key Vault. For more information, see [Certificates and Key Vault](certificates-and-key-vault.md) - Key vault needs to be referenced in the OsProfile section of the ARM template shown in the below steps.
-## Create a Cloud Service (extended support)
+## Deploy a Cloud Service (extended support)
1. Create virtual network. The name of the virtual network must match the references in the Service Configuration (.cscfg) file. If using an existing virtual network, omit this section from the ARM template. ```json
@@ -450,3 +450,4 @@ This tutorial explains how to create a Cloud Service (extended support) deployme
## Next steps - Review [frequently asked questions](faq.md) for Cloud Services (extended support). - Deploy a Cloud Service (extended support) using the [Azure portal](deploy-portal.md), [PowerShell](deploy-powershell.md), [Template](deploy-template.md) or [Visual Studio](deploy-visual-studio.md).
+- Visit the [Cloud Services (extended support) samples repository](https://github.com/Azure-Samples/cloud-services-extended-support)
\ No newline at end of file
cloud-services-extended-support https://docs.microsoft.com/en-us/azure/cloud-services-extended-support/sample-create-cloud-service https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services-extended-support/sample-create-cloud-service.md a/articles/cloud-services-extended-support/sample-create-cloud-service.md
@@ -184,5 +184,5 @@ $cloudService = New-AzCloudService
## Next steps
-For more information on Azure Cloud Services (extended support), see [Azure Cloud Services (extended support) overview](overview.md).
-
+- For more information on Azure Cloud Services (extended support), see [Azure Cloud Services (extended support) overview](overview.md).
+- Visit the [Cloud Services (extended support) samples repository](https://github.com/Azure-Samples/cloud-services-extended-support)
cloud-services-extended-support https://docs.microsoft.com/en-us/azure/cloud-services-extended-support/sample-get-cloud-service https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services-extended-support/sample-get-cloud-service.md a/articles/cloud-services-extended-support/sample-get-cloud-service.md
@@ -94,4 +94,5 @@ Statuses : {{
## Next steps
-For more information on Azure Cloud Services (extended support), see [Azure Cloud Services (extended support) overview](overview.md).
\ No newline at end of file
+- For more information on Azure Cloud Services (extended support), see [Azure Cloud Services (extended support) overview](overview.md).
+- Visit the [Cloud Services (extended support) samples repository](https://github.com/Azure-Samples/cloud-services-extended-support)
\ No newline at end of file
cloud-services-extended-support https://docs.microsoft.com/en-us/azure/cloud-services-extended-support/sample-reset-cloud-service https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services-extended-support/sample-reset-cloud-service.md a/articles/cloud-services-extended-support/sample-reset-cloud-service.md
@@ -36,4 +36,5 @@ Reset-AzCloudService -ResourceGroupName "ContosOrg" -CloudServiceName "ContosoCS
## Next steps
-For more information on Azure Cloud Services (extended support), see [Azure Cloud Services (extended support) overview](overview.md).
\ No newline at end of file
+- For more information on Azure Cloud Services (extended support), see [Azure Cloud Services (extended support) overview](overview.md).
+- Visit the [Cloud Services (extended support) samples repository](https://github.com/Azure-Samples/cloud-services-extended-support)
\ No newline at end of file
cloud-services-extended-support https://docs.microsoft.com/en-us/azure/cloud-services-extended-support/sample-update-cloud-service https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services-extended-support/sample-update-cloud-service.md a/articles/cloud-services-extended-support/sample-update-cloud-service.md
@@ -66,4 +66,5 @@ $cloudService | Update-AzCloudService
``` ## Next steps
-For more information on Azure Cloud Services (extended support), see [Azure Cloud Services (extended support) overview](overview.md).
\ No newline at end of file
+For more information on Azure Cloud Services (extended support), see [Azure Cloud Services (extended support) overview](overview.md).
+- Visit the [Cloud Services (extended support) samples repository](https://github.com/Azure-Samples/cloud-services-extended-support)
\ No newline at end of file
cloud-services https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-guestos-msrc-releases https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cloud-services/cloud-services-guestos-msrc-releases.md a/articles/cloud-services/cloud-services-guestos-msrc-releases.md
@@ -10,7 +10,7 @@
na Previously updated : 1/19/2021 Last updated : 1/26/2021
@@ -18,7 +18,7 @@
The following tables show the Microsoft Security Response Center (MSRC) updates applied to the Azure Guest OS. Search this article to determine if a particular update applies to the Guest OS you are using. Updates always carry forward for the particular [family][family-explain] they were introduced in. ## January 2021 Guest OS
-">[!NOTE]
+>[!NOTE]
>The January Guest OS is currently being rolled out to Cloud Service VMs that are configured for automatic updates. When the rollout is complete, this version will be made available for manual updates through the Azure portal and configuration files. The following patches are included in the January Guest OS. This list is subject to change." | Product Category | Parent KB Article | Vulnerability Description | Guest OS | Date First Introduced |
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/Custom-Vision-Service/limits-and-quotas https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Custom-Vision-Service/limits-and-quotas.md a/articles/cognitive-services/Custom-Vision-Service/limits-and-quotas.md
@@ -38,8 +38,8 @@ The number of training images per project and tags per project are expected to i
|Max image height/width in pixels|10,240|10,240| |Max image size (training image upload) |6 MB|6 MB| |Max image size (prediction)|4 MB|4 MB|
-|Max regions per object detection training image|300|300|
-|Max tags per classification image|100|100|
+|Max number of regions per image (object detection)|300|300|
+|Max number of tags per image (classification)|100|100|
> [!NOTE] > Images smaller than than 256 pixels will be accepted but upscaled.
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/Translator/reference/v3-0-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/Translator/reference/v3-0-reference.md a/articles/cognitive-services/Translator/reference/v3-0-reference.md
@@ -34,9 +34,9 @@ Microsoft Translator is served out of multiple datacenter locations. Currently t
Requests to the Microsoft Translator are in most cases handled by the datacenter that is closest to where the request originated. In case of a datacenter failure, the request may be routed outside of the Azure geography.
-To force the request to be handled by a specific Azure geography, change the Global endpoint in the API request to the desired regional endpoint:
+To force the request to be handled by a specific Azure geography, change the Global endpoint in the API request to the desired geographical endpoint:
-|Description|Azure geography|Base URL|
+|Description|Azure geography|Base URL (geographical endpoint)|
|:--|:--|:--| |Azure|Global (non-regional)| api.cognitive.microsofttranslator.com| |Azure|United States| api-nam.cognitive.microsofttranslator.com|
@@ -241,4 +241,4 @@ This table lists available metrics with description of how they are used to moni
| ServerErrors| Number of calls with server internal error(5XX).| | ClientErrors| Number of calls with client side error(4XX).| | Latency| Duration to complete request in milliseconds.|
-| CharactersTranslated| Total number of characters in incoming text request.|
\ No newline at end of file
+| CharactersTranslated| Total number of characters in incoming text request.|
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/cognitive-services-development-options https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/cognitive-services-development-options.md a/articles/cognitive-services/cognitive-services-development-options.md
@@ -120,7 +120,7 @@ The tools that you will use to train and configure models are different than tho
| Pillar | Service | Customization UI | Quickstart | |--|||| | Vision | Custom Vision | https://www.customvision.ai/ | [Quickstart](./custom-vision-service/quickstarts/image-classification.md?pivots=programming-language-csharp) |
-| Vision | Form Recognizer | Sample labeling tool | [Quickstart](./form-recognizer/quickstarts/label-tool.md?tabs=v2-0) |
+| Vision | Form Recognizer | [Sample labeling tool](https://fott-preview.azurewebsites.net/) | [Quickstart](./form-recognizer/quickstarts/label-tool.md?tabs=v2-0) |
| Decision | Content Moderator | https://contentmoderator.cognitive.microsoft.com/dashboard | [Quickstart](./content-moderator/review-tool-user-guide/human-in-the-loop.md) | | Decision | Metrics Advisor | https://metricsadvisor.azurewebsites.net/ | [Quickstart](./metrics-advisor/quickstarts/web-portal.md) | | Decision | Personalizer | UI is available in the Azure portal under your Personalizer resource. | [Quickstart](./personalizer/quickstart-personalizer-sdk.md) |
@@ -145,4 +145,4 @@ Many of the Cognitive Services can be deployed in containers for on-prem access
## Next steps <!-- * Learn more about low code development options for Cognitive Services -->
-* [Create a Cognitive Services resource and start building](./cognitive-services-apis-create-account.md?tabs=multiservice%252clinux)
\ No newline at end of file
+* [Create a Cognitive Services resource and start building](./cognitive-services-apis-create-account.md?tabs=multiservice%252clinux)
cognitive-services https://docs.microsoft.com/en-us/azure/cognitive-services/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cognitive-services/policy-reference.md a/articles/cognitive-services/policy-reference.md
@@ -1,7 +1,7 @@
Title: Built-in policy definitions for Azure Cognitive Services description: Lists Azure Policy built-in policy definitions for Azure Cognitive Services. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
confidential-computing https://docs.microsoft.com/en-us/azure/confidential-computing/confidential-nodes-aks-faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/confidential-computing/confidential-nodes-aks-faq.md a/articles/confidential-computing/confidential-nodes-aks-faq.md
@@ -20,6 +20,10 @@ SLA is not provided during the product preview as defined [here](https://azure.m
Attestation is the process of demonstrating and validating that a piece of software has been properly instantiated on the specific hardware platform. It also ensures its evidence is verifiable to provide assurances that it is running in a secure platform and has not been tampered with. [Read more](attestation.md) on how attestation is done for enclave apps.
+## Can I enable Accelerated Networking with Azure confidential computing AKS Clusters?
+
+No. Accelerated Networking isn't supported on confidential computing nodes on AKS. Ensure that Accelerated Networking is disabled in your deployment.
+ ## Can I bring my existing containerized applications and run it on AKS with Azure Confidential Computing? Yes, review the [confidential containers page](confidential-containers.md) for more details on platform enablers.
confidential-computing https://docs.microsoft.com/en-us/azure/confidential-computing/faq https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/confidential-computing/faq.md a/articles/confidential-computing/faq.md
@@ -40,6 +40,14 @@ Based on the information bubble next to the VM, there are different actions to t
Make sure you've selected an [available region](https://azure.microsoft.com/global-infrastructure/services/?products=virtual-machines). Also make sure you select ΓÇ£clear all filtersΓÇ¥ in the size selector.
+**Can I enable Accelerated Networking with Azure confidential computing?**
+
+ No. Accelerated Networking isn't supported on DC-Series or DCsv2-Series virtual machines. Accelerated Networking cannot be enabled for any confidential computing virtual machine deployment or Azure Kubernetes Service cluster deployment running on confidential computing.
+
+**Can I use Azure Dedicated Host with these machines?**
+
+Yes. Azure Dedicated Host support DCsv2-series virtual machines. Azure Dedicated Host provides a single-tenant physical server to run your virtual machines on. Users usually use Azure Dedicated Host to address compliance requirements around physical security, data integrity, and monitoring.
+ **I get an Azure Resource Manager template deployment failure error: "Operation could not be completed as it results in exceeding approved standard DcsV2 Family Cores Quota"** [Create a support request to increase your quota](../azure-portal/supportability/per-vm-quota-requests.md). Free trial subscriptions don't have quota for confidential computing VMs.
container-registry https://docs.microsoft.com/en-us/azure/container-registry/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-registry/policy-reference.md a/articles/container-registry/policy-reference.md
@@ -1,7 +1,7 @@
Title: Built-in policy definitions for Azure Container Registry description: Lists Azure Policy built-in policy definitions for Azure Container Registry. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
container-registry https://docs.microsoft.com/en-us/azure/container-registry/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/container-registry/security-controls-policy.md a/articles/container-registry/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure Container Registry description: Lists Azure Policy Regulatory Compliance controls available for Azure Container Registry. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
cosmos-db https://docs.microsoft.com/en-us/azure/cosmos-db/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/policy-reference.md a/articles/cosmos-db/policy-reference.md
@@ -1,7 +1,7 @@
Title: Built-in policy definitions for Azure Cosmos DB description: Lists Azure Policy built-in policy definitions for Azure Cosmos DB. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
cosmos-db https://docs.microsoft.com/en-us/azure/cosmos-db/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/security-controls-policy.md a/articles/cosmos-db/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure Cosmos DB description: Lists Azure Policy Regulatory Compliance controls available for Azure Cosmos DB. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
cosmos-db https://docs.microsoft.com/en-us/azure/cosmos-db/set-throughput https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/cosmos-db/set-throughput.md a/articles/cosmos-db/set-throughput.md
@@ -5,7 +5,7 @@
Previously updated : 01/19/2021 Last updated : 01/25/2021 # Introduction to provisioned throughput in Azure Cosmos DB
data-factory https://docs.microsoft.com/en-us/azure/data-factory/connector-xero https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/connector-xero.md a/articles/data-factory/connector-xero.md
@@ -9,7 +9,7 @@
Previously updated : 10/29/2020 Last updated : 01/26/2021
@@ -30,11 +30,8 @@ You can copy data from Xero to any supported sink data store. For a list of data
Specifically, this Xero connector supports: -- Xero [private application](https://developer.xero.com/documentation/getting-started/getting-started-guide) but not public application.
+- OAuth 2.0 and OAuth 1.0 authentication. For OAuth 1.0, the connector supports Xero [private application](https://developer.xero.com/documentation/getting-started/getting-started-guide) but not public application.
- All Xero tables (API endpoints) except "Reports".-- OAuth 1.0 and OAuth 2.0 authentication.-
-Azure Data Factory provides a built-in driver to enable connectivity, therefore you don't need to manually install any driver using this connector.
## Getting started
@@ -53,8 +50,8 @@ The following properties are supported for Xero linked service:
| ***Under `connectionProperties`:*** | | | | host | The endpoint of the Xero server (`api.xero.com`). | Yes | | authenticationType | Allowed values are `OAuth_2.0` and `OAuth_1.0`. | Yes |
-| consumerKey | The consumer key associated with the Xero application. Mark this field as a SecureString to store it securely in Data Factory, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). | Yes |
-| privateKey | The private key from the .pem file that was generated for your Xero private application, see [Create a public/private key pair](https://developer.xero.com/documentation/auth-and-limits/create-publicprivate-key). Note to **generate the privatekey.pem with numbits of 512** using `openssl genrsa -out privatekey.pem 512`, 1024 is not supported. Include all the text from the .pem file including the Unix line endings(\n), see sample below.<br/>Mark this field as a SecureString to store it securely in Data Factory, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). | Yes |
+| consumerKey | For OAuth 2.0, specify the **client ID** for your Xero application.<br>For OAuth 1.0, specify the consumer key associated with the Xero application.<br>Mark this field as a SecureString to store it securely in Data Factory, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). | Yes |
+| privateKey | For OAuth 2.0, specify the **client secret** for your Xero application.<br>For OAuth 1.0, specify the private key from the .pem file that was generated for your Xero private application, see [Create a public/private key pair](https://developer.xero.com/documentation/auth-and-limits/create-publicprivate-key). Note to **generate the privatekey.pem with numbits of 512** using `openssl genrsa -out privatekey.pem 512`, 1024 is not supported. Include all the text from the .pem file including the Unix line endings(\n), see sample below.<br/><br>Mark this field as a SecureString to store it securely in Data Factory, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). | Yes |
| tenantId | The tenant ID associated with your Xero application. Applicable for OAuth 2.0 authentication.<br>Learn how to get the tenant ID from [Check the tenants you're authorized to access section](https://developer.xero.com/documentation/oauth2/auth-flow). | Yes for OAuth 2.0 authentication | | refreshToken | Applicable for OAuth 2.0 authentication.<br/>The OAuth 2.0 refresh token is associated with the Xero application and used to refresh the access token; the access token expires after 30 minutes. Learn about how the Xero authorization flow works and how to get the refresh token from [this article](https://developer.xero.com/documentation/oauth2/auth-flow). To get a refresh token, you must request the [offline_access scope](https://developer.xero.com/documentation/oauth2/scopes). <br/>**Know limitation**: Note Xero resets the refresh token after it's used for access token refresh. For operationalized workload, before each copy activity run, you need to set a valid refresh token for ADF to use.<br/>Mark this field as a SecureString to store it securely in Data Factory, or [reference a secret stored in Azure Key Vault](store-credentials-in-key-vault.md). | Yes for OAuth 2.0 authentication | | useEncryptedEndpoints | Specifies whether the data source endpoints are encrypted using HTTPS. The default value is true. | No |
@@ -74,11 +71,11 @@ The following properties are supported for Xero linked service:
"authenticationType":"OAuth_2.0", "consumerKey": { "type": "SecureString",
- "value": "<consumer key>"
+ "value": "<client ID>"
}, "privateKey": { "type": "SecureString",
- "value": "<private key>"
+ "value": "<client secret>"
}, "tenantId":ΓÇ»"<tenant ID>", "refreshToken":ΓÇ»{
data-factory https://docs.microsoft.com/en-us/azure/data-factory/data-flow-reserved-capacity-overview https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/data-flow-reserved-capacity-overview.md new file mode 100644 /dev/null
@@ -0,0 +1,54 @@
+
+ Title: Save compute costs with reserved capacity
+description: Learn how to buy Azure Data Factory data flow reserved capacity to save on your compute costs.
++++ Last updated : 01/25/2021+
+# Save costs for resources with reserved capacity - Azure Data Factory data flows
+
+Save money with Azure Data Factory data flow costs by committing to a reservation for compute resources compared to pay-as-you-go prices. With reserved capacity, you make a commitment for ADF data flow usage for a period of one or three years to get a significant discount on the compute costs. To purchase reserved capacity, you need to specify the Azure region, compute type, core count, and term.
+
+You do not need to assign the reservation to a specific factory or integration runtime. Existing factories or newly deployed factories automatically get the benefit. By purchasing a reservation, you commit to usage for the data flow compute costs for a period of one or three years. As soon as you buy a reservation, the compute charges that match the reservation attributes are no longer charged at the pay-as-you go rates.
+
+You can buy reserved capacity in the [Azure portal](https://portal.azure.com). Pay for the reservation [up front or with monthly payments](https://docs.microsoft.com/azure/cost-management-billing/reservations/prepare-buy-reservation.md). To buy reserved capacity:
+
+- You must be in the owner role for at least one Enterprise or individual subscription with pay-as-you-go rates.
+- For Enterprise subscriptions, **Add Reserved Instances** must be enabled in the [EA portal](https://ea.azure.com). Or, if that setting is disabled, you must be an EA Admin on the subscription. Reserved capacity.
+
+For more information about how enterprise customers and Pay-As-You-Go customers are charged for reservation purchases, see [Understand Azure reservation usage for your Enterprise enrollment](https://docs.microsoft.com/azure/cost-management-billing/reservations/understand-reserved-instance-usage-ea) and [Understand Azure reservation usage for your Pay-As-You-Go subscription](https://docs.microsoft.com/azure/cost-management-billing/reservations/understand-reserved-instance-usage.md).
+
+> [!NOTE]
+> Purchasing reserved capacity does not pre-allocate or reserve specific infrastructure resources (virtual machines or clusters) for your use.
+
+## Determine proper Azure IR sizes needed before purchase
+
+The size of reservation should be based on the total amount of compute used by the existing or soon-to-be-deployed data flows using the same compute tier.
+
+For example, let's suppose that you are executing a pipeline hourly using memory optimized with 32 cores. Further, let's supposed that you plan to deploy within the next month an additional pipeline that uses general purpose 64 cores. Also, let's suppose that you know that you will need these resources for at least 1 year. In this case, you should purchase a 32 cores 1-year reservation for memory optimized data flows and a general purpose 64 core 1-year reservation.
+
+## Buy reserved capacity
+
+1. Sign in to the [Azure portal](https://portal.azure.com).
+2. Select **All services** > **Reservations**.
+3. Select **Add** and then in the **Purchase Reservations** pane, select **ADF Data Flows** to purchase a new reservation for ADF data flows.
+4. Fill in the required fields and attributes you select qualify to get the reserved capacity discount. The actual number of data flows that get the discount depends on the scope and quantity selected.
+5. Review the cost of the capacity reservation in the **Costs** section.
+6. Select **Purchase**.
+7. Select **View this Reservation** to see the status of your purchase.
+
+## Cancel, exchange, or refund reservations
+
+You can cancel, exchange, or refund reservations with certain limitations. For more information, see [Self-service exchanges and refunds for Azure Reservations](https://docs.microsoft.com/azure/cost-management-billing/reservations/exchange-and-refund-azure-reservations.md).
+
+## Need help? Contact us
+
+If you have questions or need help, [create a support request](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest).
+
+## Next steps
+
+To learn more about Azure Reservations, see the following articles:
+
+- [Understand Azure Reservations discount](data-flow-understand-reservation-charges.md)
data-factory https://docs.microsoft.com/en-us/azure/data-factory/data-flow-understand-reservation-charges https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/data-flow-understand-reservation-charges.md new file mode 100644 /dev/null
@@ -0,0 +1,40 @@
+
+ Title: Understand reservations discount for Azure Data Factory data flows | Microsoft Docs
+description: Learn how a reservation discount is applied to running ADF data flows. The discount is applied to these data flows on an hourly basis.
+++ Last updated : 01/25/2021+++
+# How a reservation discount is applied to Azure Data Factory data flows
+
+After you buy ADF data flow reserved capacity, the reservation discount is automatically applied to data flows using an Azure integration runtime that match the compute type and core count of the reservation.
+
+## How reservation discount is applied
+
+A reservation discount is "*use-it-or-lose-it*". So, if you don't have matching Azure integration resources used for any hour, then you lose a reservation quantity for that hour. You can't carry forward unused reserved hours.
+
+When you stop using the integration runtime for data flows, the reservation discount automatically applies to another matching resource in the specified scope. If no matching resources are found in the specified scope, then the reserved hours are *lost*.
+
+## Discount applied to ADF data flows
+
+The ADF data flow reserved capacity discount is applied to executing integration runtimes on an hourly basis. The reservation that you buy is matched to the compute usage emitted by the integration runtime being utilized. For data flows that don't run the full hour, the reservation is automatically applied to other data flows matching the reservation attributes. The discount can apply to data flows that are running concurrently. If you don't have data flows that run for the full hour that match the reservation attributes, you don't get the full benefit of the reservation discount for that hour.
+
+The following examples show how the ADF data flow reserved capacity discount applies depending on the number of cores you bought, and when they're running.
+
+- Scenario 1: You buy an ADF data flow reserved capacity for 80 cores of memory optimized compute. You run a data flow with an Azure integration runtime set to 144 cores of memory optimized for one hour. You're charged the pay-as-you-go price for 64 cores of data flow usage for one hour. You get the reservation discount for one hour of 80 cores of memory optimized usage.
+- Scenario 2: You buy an ADF data flow reserved capacity for 32 cores of general purpose compute. You debug your data flows for 1 hour using 32 cores of general compute Azure integration runtime. You get the reservation discount for that entire hour of usage.
+
+To understand and view the application of your Azure Reservations in billing usage reports, see [Understand Azure reservation usage](https://docs.microsoft.com/azure/cost-management-billing/reservations/understand-reserved-instance-usage-ea).
+
+## Need help? Contact us
+
+If you have questions or need help, [create a support request](https://go.microsoft.com/fwlink/?linkid=2083458).
+
+## Next steps
+
+To learn more about Azure Reservations, see the following article:
+
+- [What are Azure Reservations?](https://docs.microsoft.com/azure/cost-management-billing/reservations/save-compute-costs-reservations)
data-factory https://docs.microsoft.com/en-us/azure/data-factory/join-azure-ssis-integration-runtime-virtual-network https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/join-azure-ssis-integration-runtime-virtual-network.md a/articles/data-factory/join-azure-ssis-integration-runtime-virtual-network.md
@@ -68,7 +68,10 @@ If your SSIS packages access Azure resources that support [virtual network servi
## Access to data sources protected by IP firewall rule
-If your SSIS packages access data stores/resources that allow only specific static public IP addresses and you want to secure access to those resources from Azure-SSIS IR, you can bring your own [public IP addresses](../virtual-network/virtual-network-public-ip-address.md) for Azure-SSIS IR while joining it to a virtual network and then add an IP firewall rule to the relevant resources to allow access from those IP addresses.
+If your SSIS packages access data stores/resources that allow only specific static public IP addresses and you want to secure access to those resources from Azure-SSIS IR, you can associate [public IP addresses](../virtual-network/virtual-network-public-ip-address.md) with Azure-SSIS IR while joining it to a virtual network and then add an IP firewall rule to the relevant resources to allow access from those IP addresses. There are two alternative ways to do this:
+
+- When you create Azure-SSIS IR, you can bring your own public IP addresses and specify them via [Data Factory UI or SDK](#join-the-azure-ssis-ir-to-a-virtual-network). Only the outbound internet connectivity of Azure-SSIS IR will use your provided public IP addresses and other devices in the subnet will not use them.
+- You can also setup [Virtual Network NAT](../virtual-network/nat-overview.md) for the subnet that Azure-SSIS IR will join and all outbound connectivity in this subnet will use your specified public IP addresses.
In all cases, the virtual network can be deployed only through the Azure Resource Manager deployment model.
data-factory https://docs.microsoft.com/en-us/azure/data-factory/ssis-integration-runtime-management-troubleshoot https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-factory/ssis-integration-runtime-management-troubleshoot.md a/articles/data-factory/ssis-integration-runtime-management-troubleshoot.md
@@ -147,7 +147,7 @@ SSIS IR will be automatically updated on a regular basis. A new Azure Batch pool
If SSIS IR provisioning fails, all the resources that were created are deleted. However, if there's a resource delete lock at the subscription or resource group level, Virtual Network resources are not deleted as expected. To fix this error, remove the delete lock and restart the IR.
-### VNetResourceGroupLockedDuringStop
+### VNetResourceGroupLockedDuringStop/VNetDeleteLock
When you stop SSIS IR, all the resources related to Virtual Network are deleted. But deletion can fail if there's a resource delete lock at the subscription or resource group level. Here, too, the customer controls and sets the delete lock. Therefore, they must remove the delete lock and then stop SSIS IR again.
data-lake-analytics https://docs.microsoft.com/en-us/azure/data-lake-analytics/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-lake-analytics/policy-reference.md a/articles/data-lake-analytics/policy-reference.md
@@ -1,7 +1,7 @@
Title: Built-in policy definitions for Azure Data Lake Analytics description: Lists Azure Policy built-in policy definitions for Azure Data Lake Analytics. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
data-lake-analytics https://docs.microsoft.com/en-us/azure/data-lake-analytics/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-lake-analytics/security-controls-policy.md a/articles/data-lake-analytics/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure Data Lake Analytics description: Lists Azure Policy Regulatory Compliance controls available for Azure Data Lake Analytics. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
data-lake-store https://docs.microsoft.com/en-us/azure/data-lake-store/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-lake-store/policy-reference.md a/articles/data-lake-store/policy-reference.md
@@ -1,7 +1,7 @@
Title: Built-in policy definitions for Azure Data Lake Storage Gen1 description: Lists Azure Policy built-in policy definitions for Azure Data Lake Storage Gen1. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
data-lake-store https://docs.microsoft.com/en-us/azure/data-lake-store/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/data-lake-store/security-controls-policy.md a/articles/data-lake-store/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure Data Lake Storage Gen1 description: Lists Azure Policy Regulatory Compliance controls available for Azure Data Lake Storage Gen1. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-gpu-2101-release-notes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-2101-release-notes.md a/articles/databox-online/azure-stack-edge-gpu-2101-release-notes.md
@@ -40,13 +40,13 @@ The following table provides a summary of known issues in the 2101 release.
| | | | | |**1.**|Preview features |For this release, the following features: Local Azure Resource Manager, VMs, Cloud management of VMs, Azure Arc enabled Kubernetes, VPN for Azure Stack Edge Pro R and Azure Stack Edge Mini R, Multi-process service (MPS) for Azure Stack Edge Pro GPU - are all available in preview. |These features will be generally available in later releases. | |**2.**|Kubernetes Dashboard | *Https* endpoint for Kubernetes Dashboard with SSL certificate is not supported. | |
-|**3.**|Kubernetes |Edge container registry doesn't work when web proxy is enabled.|The functionality will be available in a future release. |
-|**4.**|Kubernetes |Edge container registry doesn't work with IoT Edge modules.| |
-|**5.**|Kubernetes |Kubernetes doesn't support ":" in environment variable names that are used by .NET applications. That is also required for Event grid IoT Edge module to function on Azure Stack Edge device and other applications. For more information, see [ASP.NET core documentation](/aspnet/core/fundamentals/configuration/?tabs=basicconfiguration&view=aspnetcore-3.1&preserve-view=true#environment-variables).|Replace ":" by double underscore. For more information,see [Kubernetes issue](https://github.com/kubernetes/kubernetes/issues/53201)|
-|**6.** |Azure Arc + Kubernetes cluster |By default, when resource `yamls` are deleted from the Git repository, the corresponding resources aren't deleted from the Kubernetes cluster. |You need to set `--sync-garbage-collection` in Arc OperatorParams to allow the deletion of resources when they're deleted from the git repository. For more information, see [Delete a configuration](../azure-arc/kubernetes/use-gitops-connected-cluster.md#additional-parameters). |
-|**7.**|NFS |Applications that use NFS share mounts on your device to write data should use Exclusive write. Using Exclusive write ensures that the writes are written to the disk.| |
-|**8.**|Compute configuration |Compute configuration fails in network configurations where gateways or switches or routers respond to Address Resolution Protocol (ARP) requests for systems that don't exist on the network.| |
-|**9.**|Compute and Kubernetes |If Kubernetes is set up first on your device, it claims all the available GPUs. Hence, it's not possible to create Azure Resource Manager VMs using GPUs after setting up the Kubernetes. |If your device has 2 GPUs, then you can create 1 VM that uses the GPU and then configure Kubernetes. In this case, Kubernetes will use the remaining available 1 GPU. |
+|**3.**|Kubernetes |Edge container registry does not work when web proxy is enabled.|The functionality will be available in a future release. |
+|**4.**|Kubernetes |Edge container registry does not work with IoT Edge modules.| |
+|**5.**|Kubernetes |Kubernetes doesn't support ":" in environment variable names that are used by .NET applications. This is also required for Event grid IoT Edge module to function on Azure Stack Edge device and other applications. For more information, see [ASP.NET core documentation](/aspnet/core/fundamentals/configuration/?tabs=basicconfiguration&view=aspnetcore-3.1&preserve-view=true#environment-variables).|Replace ":" by double underscore. For more information,see [Kubernetes issue](https://github.com/kubernetes/kubernetes/issues/53201)|
+|**6.** |Azure Arc + Kubernetes cluster |By default, when resource `yamls` are deleted from the Git repository, the corresponding resources are not deleted from the Kubernetes cluster. |You need to set `--sync-garbage-collection` in Arc OperatorParams to allow the deletion of resources when deleted from git repository. For more information, see [Delete a configuration](../azure-arc/kubernetes/use-gitops-connected-cluster.md#additional-parameters). |
+|**7.**|NFS |Applications that use NFS share mounts on your device to write data should use Exclusive write. This ensures that the writes are written to the disk.| |
+|**8.**|Compute configuration |Compute configuration fails in network configurations where gateways or switches or routers respond to Address Resolution Protocol (ARP) requests for systems that do not exist on the network.| |
+|**9.**|Compute and Kubernetes |If Kubernetes is set up first on your device, it claims all the available GPUs. Hence, it is not possible to create Azure Resource Manager VMs using GPUs after setting up the Kubernetes. |If your device has 2 GPUs, then you can create 1 VM that uses the GPU and then configure Kubernetes. In this case, Kubernetes will use the remaining available 1 GPU. |
## Known issues from previous releases
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-gpu-create-virtual-machine-image https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-create-virtual-machine-image.md a/articles/databox-online/azure-stack-edge-gpu-create-virtual-machine-image.md
@@ -7,7 +7,7 @@
Previously updated : 12/08/2020 Last updated : 01/25/2021 #Customer intent: As an IT admin, I need to understand how to create and upload Azure VM images that I can use with my Azure Stack Edge Pro device so that I can deploy VMs on the device.
@@ -16,11 +16,11 @@
<!--[!INCLUDE [applies-to-skus](../../includes/azure-stack-edge-applies-to-all-sku.md)]-->
-To deploy VMs on your Azure Stack Edge Pro device, you need to be able to create custom VM images that you can use to create VMs. This article describes the steps required to create Linux or Windows VM custom images that you can use to deploy VMs on your Azure Stack Edge Pro device.
+To deploy VMs on your Azure Stack Edge Pro device, you need to be able to create custom VM images that you can use to create VMs. This article describes the steps that are required to create Linux or Windows VM custom images that you can use to deploy VMs on your Azure Stack Edge Pro device.
## VM image workflow
-The workflow requires you to create a virtual machine in Azure, customize the VM, generalize, and then download the VHD corresponding to that VM. This generalized VHD is uploaded to Azure Stack Edge Pro, managed disk is created from that VHD, image is created from managed disk, and finally VMs are created from that image.
+The workflow requires you to create a virtual machine in Azure, customize the VM, generalize, and then download the VHD corresponding to that VM. This generalized VHD is uploaded to Azure Stack Edge Pro. A managed disk is created from that VHD. An image is created from the managed disk. And, finally, VMs are created from that image.
For more information, go to [Deploy a VM on your Azure Stack Edge Pro device using Azure PowerShell](azure-stack-edge-gpu-deploy-virtual-machine-powershell.md).
@@ -73,7 +73,7 @@ Use this VHD to now create and deploy a VM on your Azure Stack Edge Pro device.
|[Ubuntu Server](https://azuremarketplace.microsoft.com/marketplace/apps/canonical.ubuntuserver) |Ubuntu Server is the world's most popular Linux for cloud environments.|Canonical| |[Debian 8 "Jessie"](https://azuremarketplace.microsoft.com/marketplace/apps/credativ.debian) |Debian GNU/Linux is one of the most popular Linux distributions. |credativ|
-For a full list of Azure Marketplace images that could work (presently not tested), go to [Azure Marketplace items available for Azure Stack Hub](/azure-stack/operator/azure-stack-marketplace-azure-items?view=azs-1910).
+For a full list of Azure Marketplace images that could work (presently not tested), go to [Azure Marketplace items available for Azure Stack Hub](/azure-stack/operator/azure-stack-marketplace-azure-items?view=azs-1910&preserve-view=true).
## Next steps
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-gpu-deploy-gpu-virtual-machine https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-deploy-gpu-virtual-machine.md a/articles/databox-online/azure-stack-edge-gpu-deploy-gpu-virtual-machine.md
@@ -637,4 +637,4 @@ Requestld IsSuccessStatusCode StatusCode ReasonPhrase
## Next steps
-[Azure Resource Manager cmdlets](/powershell/module/azurerm.resources/?view=azurermps-6.13.0)
\ No newline at end of file
+[Azure Resource Manager cmdlets](/powershell/module/azurerm.resources/?view=azurermps-6.13.0&preserve-view=true)
\ No newline at end of file
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-gpu-deploy-stateful-application-dynamic-provision-kubernetes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-deploy-stateful-application-dynamic-provision-kubernetes.md a/articles/databox-online/azure-stack-edge-gpu-deploy-stateful-application-dynamic-provision-kubernetes.md
@@ -7,7 +7,7 @@
Previously updated : 08/26/2020 Last updated : 01/25/2021
@@ -20,7 +20,7 @@ This procedure is intended for those who have reviewed the [Kubernetes storage o
## Prerequisites
-Before you can deploy the stateful application, make sure that you have completed the following prerequisites on your device and the client that you will use to access the device:
+Before you can deploy the stateful application, complete the following prerequisites on your device and the client that you will use to access the device:
### For device
@@ -31,7 +31,7 @@ Before you can deploy the stateful application, make sure that you have complete
### For client accessing the device - You have a Windows client system that will be used to access the Azure Stack Edge Pro device.
- - The client is running Windows PowerShell 5.0 or later. To download the latest version of Windows PowerShell, go to [Install Windows PowerShell](/powershell/scripting/install/installing-windows-powershell?view=powershell-7).
+ - The client is running Windows PowerShell 5.0 or later. To download the latest version of Windows PowerShell, go to [Install Windows PowerShell](/powershell/scripting/install/installing-windows-powershell?view=powershell-7&preserve-view=true).
- You can have any other client with a [Supported operating system](azure-stack-edge-gpu-system-requirements.md#supported-os-for-clients-connected-to-device) as well. This article describes the procedure when using a Windows client.
@@ -62,7 +62,7 @@ All `kubectl` commands you use to create and manage stateful application deploym
kubectl get pods -n <your-namespace> ```
- Here is an example of command usage:
+ Here's an example of command usage:
```powershell C:\Users\user>kubectl get pods -n "userns1"
@@ -145,7 +145,7 @@ All `kubectl` commands you use to create and manage stateful application deploym
`kubectl apply -f <URI path to the mysql-pv.yml file> -n <your-user-namespace>`
- Here is a sample output of the deployment.
+ Here's a sample output of the deployment.
```powershell
@@ -153,13 +153,13 @@ All `kubectl` commands you use to create and manage stateful application deploym
persistentvolumeclaim/mysql-pv-claim-sc created C:\Users\user> ```
- Note the name of the PVC created, here it is `mysql-pv-claim-sc`. You will use it in a later step.
+ Note the name of the PVC created - in this example, `mysql-pv-claim-sc`. You will use it in a later step.
4. Deploy the contents of the `mysql-deployment.yml` file. `kubectl apply -f <URI path to mysql-deployment.yml file> -n <your-user-namespace>`
- Here is a sample output of the deployment.
+ Here's a sample output of the deployment.
```powershell C:\Users\user>kubectl apply -f "C:\stateful-application\mysql-deployment.yml" -n userns1
@@ -220,7 +220,7 @@ All `kubectl` commands you use to create and manage stateful application deploym
`kubectl get pods -l <app=label> -n <your-user-namespace>`
- Here is a sample output.
+ Here's a sample output.
```powershell
@@ -234,7 +234,7 @@ All `kubectl` commands you use to create and manage stateful application deploym
`kubectl describe pvc <your-pvc-name>`
- Here is a sample output.
+ Here's a sample output.
```powershell
@@ -275,7 +275,7 @@ To verify that the application is running, type:
When prompted, provide the password. The password is in your `mysql-deployment` file.
-Here is a sample output.
+Here's a sample output.
```powershell C:\Users\user>kubectl exec mysql-695c4d9dcd-rvzff -i -t -n userns1 -- mysql -p
@@ -303,7 +303,7 @@ kubectl delete deployment <deployment-name>,svc <service-name> -n <your-namespac
kubectl delete pvc <your-pvc-name> -n <your-namespace> ```
-Here is sample output of when you delete the deployment and the service.
+Here's sample output of when you delete the deployment and the service.
```powershell C:\Users\user>kubectl delete deployment,svc mysql -n userns1
@@ -311,7 +311,7 @@ deployment.apps "mysql" deleted
service "mysql" deleted C:\Users\user> ```
-Here is sample output of when you delete the PVC.
+Here's sample output of when you delete the PVC.
```powershell C:\Users\user>kubectl delete pvc mysql-pv-claim-sc -n userns1
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-gpu-deploy-stateful-application-static-provision-kubernetes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-deploy-stateful-application-static-provision-kubernetes.md a/articles/databox-online/azure-stack-edge-gpu-deploy-stateful-application-static-provision-kubernetes.md
@@ -7,7 +7,7 @@
Previously updated : 09/22/2020 Last updated : 01/25/2021
@@ -22,7 +22,7 @@ Azure Stack Edge Pro also supports running Azure SQL Edge containers and these c
## Prerequisites
-Before you can deploy the stateful application, make sure that you have completed the following prerequisites on your device and the client that you will use to access the device:
+Before you can deploy the stateful application, complete the following prerequisites on your device and the client that you will use to access the device:
### For device
@@ -33,7 +33,7 @@ Before you can deploy the stateful application, make sure that you have complete
### For client accessing the device - You have a Windows client system that will be used to access the Azure Stack Edge Pro device.
- - The client is running Windows PowerShell 5.0 or later. To download the latest version of Windows PowerShell, go to [Install Windows PowerShell](/powershell/scripting/install/installing-windows-powershell?view=powershell-7).
+ - The client is running Windows PowerShell 5.0 or later. To download the latest version of Windows PowerShell, go to [Install Windows PowerShell](/powershell/scripting/install/installing-windows-powershell?view=powershell-7&preserve-view=true).
- You can have any other client with a [Supported operating system](azure-stack-edge-gpu-system-requirements.md#supported-os-for-clients-connected-to-device) as well. This article describes the procedure when using a Windows client.
@@ -46,7 +46,7 @@ Before you can deploy the stateful application, make sure that you have complete
- Make sure that the `kubectl` client version is skewed no more than one version from the Kubernetes master version running on your Azure Stack Edge Pro device. - Use `kubectl version` to check the version of kubectl running on the client. Make a note of the full version. - In the local UI of your Azure Stack Edge Pro device, go to **Overview** and note the Kubernetes software number.
- - Verify these two versions for compatibility from the mapping provided in the Supported Kubernetes version <!-- insert link-->.
+ - Verify these two versions for compatibility from the mapping provided in the Supported Kubernetes version.<!-- insert link-->
You are ready to deploy a stateful application on your Azure Stack Edge Pro device.
@@ -86,7 +86,7 @@ All `kubectl` commands you use to create and manage stateful application deploym
kubectl get pods -n <your-namespace> ```
- Here is an example of command usage:
+ Here's an example of command usage:
```powershell C:\Users\user>kubectl get pods -n "userns1"
@@ -172,7 +172,7 @@ All `kubectl` commands you use to create and manage stateful application deploym
`kubectl apply -f <URI path to the mysql-pv.yml file> -n <your-user-namespace>`
- Here is a sample output of the deployment.
+ Here's a sample output of the deployment.
```powershell
@@ -187,7 +187,7 @@ All `kubectl` commands you use to create and manage stateful application deploym
`kubectl apply -f <URI path to mysql-deployment.yml file> -n <your-user-namespace>`
- Here is a sample output of the deployment.
+ Here's a sample output of the deployment.
```powershell C:\Users\user>kubectl apply -f "C:\stateful-application\mysql-deployment.yml" -n userns1
@@ -248,7 +248,7 @@ All `kubectl` commands you use to create and manage stateful application deploym
`kubectl get pods -l <app=label> -n <your-user-namespace>`
- Here is a sample output.
+ Here's a sample output.
```powershell
@@ -263,7 +263,7 @@ All `kubectl` commands you use to create and manage stateful application deploym
`kubectl describe pvc <your-pvc-name>`
- Here is a sample output.
+ Here's a sample output.
```powershell
@@ -295,7 +295,7 @@ To run a command against a container in a pod that is running MySQL, type:
`kubectl exec <your-pod-with-the-app> -i -t -n <your-namespace> -- mysql`
-Here is a sample output.
+Here's a sample output.
```powershell C:\Users\user>kubectl exec mysql-c85f7f79c-vzz7j -i -t -n userns1 -- mysql
@@ -323,7 +323,7 @@ kubectl delete deployment <deployment-name>,svc <service-name> -n <your-namespac
kubectl delete pvc <your-pvc-name> -n <your-namespace> ```
-Here is sample output of when you delete the deployment and the service.
+Here's sample output of when you delete the deployment and the service.
```powershell C:\Users\user>kubectl delete deployment,svc mysql -n userns1
@@ -331,13 +331,13 @@ deployment.apps "mysql" deleted
service "mysql" deleted C:\Users\user> ```
-Here is sample output of when you delete the PVC.
+Here's sample output of when you delete the PVC.
```powershell C:\Users\user>kubectl delete pvc mysql-pv-claim -n userns1 persistentvolumeclaim "mysql-pv-claim" deleted C:\Users\user>
-```
+```
The PV is no longer bound to the PVC as the PVC was deleted. As the PV was provisioned when the share was created, you will need to delete the share. Follow these steps:
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-gpu-deploy-stateless-application-git-ops-guestbook https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-deploy-stateless-application-git-ops-guestbook.md a/articles/databox-online/azure-stack-edge-gpu-deploy-stateless-application-git-ops-guestbook.md
@@ -1,27 +1,27 @@
Title: Deploy PHP Guestbook app on Arc enabled Kubernetes on Azure Stack Edge Pro GPU device| Microsoft Docs
-description: Describes how to deploy a PHP Guestbook stateless application with Redis using GitOps on an Arc enabled Kubernetes cluster of your Azure Stack Edge Pro device.
+ Title: Deploy `PHP Guestbook` app on Arc enabled Kubernetes on Azure Stack Edge Pro GPU device| Microsoft Docs
+description: Describes how to deploy a PHP `Guestbook` stateless application with Redis using GitOps on an Arc enabled Kubernetes cluster of your Azure Stack Edge Pro device.
Previously updated : 08/25/2020 Last updated : 01/25/2021
-# Deploy a PHP Guestbook stateless application with Redis on Arc enabled Kubernetes cluster on Azure Stack Edge Pro GPU
+# Deploy a PHP `Guestbook` stateless application with Redis on Arc enabled Kubernetes cluster on Azure Stack Edge Pro GPU
This article shows you how to build and deploy a simple, multi-tier web application using Kubernetes and Azure Arc. This example consists of the following components: -- A single-instance Redis master to store guestbook entries
+- A single-instance Redis master to store `guestbook` entries
- Multiple replicated Redis instances to serve reads - Multiple web frontend instances The deployment is done using GitOps on the Arc enabled Kubernetes cluster on your Azure Stack Edge Pro device.
-This procedure is intended for those who have reviewed the [Kubernetes workloads on Azure Stack Edge Pro device](azure-stack-edge-gpu-kubernetes-workload-management.md) and are familiar with the concepts of [What is Azure Arc enabled Kubernetes (Preview)](../azure-arc/kubernetes/overview.md).
+This procedure is intended for people who have reviewed the [Kubernetes workloads on Azure Stack Edge Pro device](azure-stack-edge-gpu-kubernetes-workload-management.md) and are familiar with the concepts of [What is Azure Arc enabled Kubernetes (Preview)](../azure-arc/kubernetes/overview.md).
> [!NOTE] > This article contains references to the term slave, a term that Microsoft no longer uses. When the term is removed from the software, weΓÇÖll remove it from this article.
@@ -45,18 +45,18 @@ Before you can deploy the stateless application, make sure that you have complet
1. You have a Windows client system that will be used to access the Azure Stack Edge Pro device.
- - The client is running Windows PowerShell 5.0 or later. To download the latest version of Windows PowerShell, go to [Install Windows PowerShell](/powershell/scripting/install/installing-windows-powershell?view=powershell-7).
+ - The client is running Windows PowerShell 5.0 or later. To download the latest version of Windows PowerShell, go to [Install Windows PowerShell](/powershell/scripting/install/installing-windows-powershell?view=powershell-7&preserve-view = true).
- You can have any other client with a [Supported operating system](azure-stack-edge-gpu-system-requirements.md#supported-os-for-clients-connected-to-device) as well. This article describes the procedure when using a Windows client. 1. You have completed the procedure described in [Access the Kubernetes cluster on Azure Stack Edge Pro device](azure-stack-edge-gpu-create-kubernetes-cluster.md). You have:
- - Installed `kubectl` on the client <!--and saved the `kubeconfig` file with the user configuration to C:\\Users\\&lt;username&gt;\\.kube. -->
+ - Installed `kubectl` on the client. <!--and saved the `kubeconfig` file with the user configuration to C:\\Users\\&lt;username&gt;\\.kube. -->
- Make sure that the `kubectl` client version is skewed no more than one version from the Kubernetes master version running on your Azure Stack Edge Pro device. - Use `kubectl version` to check the version of kubectl running on the client. Make a note of the full version. - In the local UI of your Azure Stack Edge Pro device, go to **Overview** and note the Kubernetes software number.
- - Verify these two versions for compatibility from the mapping provided in the Supported Kubernetes version <!--insert link-->.
+ - Verify these two versions for compatibility from the mapping provided in the Supported Kubernetes version. <!--insert link-->
1. You have a [GitOps configuration that you can use to run an Azure Arc deployment](https://github.com/kagoyal/dbehaikudemo). In this example, you will use the following `yaml` files to deploy on your Azure Stack Edge Pro device.
@@ -82,18 +82,18 @@ Follow these steps to configure the Azure Arc resource to deploy a GitOps config
![Screenshot shows the Azure Arc enabled Kubernetes cluster with Add configuration selected.](media/azure-stack-edge-gpu-connect-powershell-interface/select-configurations-1.png)
-1. In the **Add configuration**, enter the appropriate values for the fields and select **Apply**.
+1. In **Add configuration**, enter the appropriate values for the fields, and then select **Apply**.
|Parameter |Description | ||| |Configuration name | Name for the configuration resource. | |Operator instance name |Instance name of the operator to identify a specific configuration. Name is a string of maximum 253 characters that must be lowercase, alphanumeric, hyphen, and period only. |
- |Operator namespace | Set to **demotestguestbook** as this matches the namespace specified in the deployment `yaml`. <br> The field defines the namespace where the operator is installed. Name is a string of maximum 253 characters that must be lowercase, alphanumeric, hyphen, and period only. |
+ |Operator namespace | Set to **demotestguestbook** to match the namespace specified in the deployment `yaml`. <br> The field defines the namespace where the operator is installed. Name is a string of maximum 253 characters that must be lowercase, alphanumeric, hyphen, and period only. |
|Repository URL |<br>Path to the git repository in `http://github.com/username/repo` or `git://github.com/username/repo` format where your GitOps configuration is located. |
- |Operator scope | Select **Namespace**. <br>This defines the scope at which the operator is installed. Select this as namespace. Your operator will be installed in namespace specified in the deployment yaml files. |
- |Operator type | Leave at default. <br>This specifies the type of the operator, by default, set as flux. |
- |Operator params | Leave this blank. <br>This field contains parameters to pass to the flux operator. |
- |Helm | Set this to **Disabled**. <br>Enable this option if you will do chart based deployments. |
+ |Operator scope | Select **Namespace**. <br>This parameter defines the scope at which the operator is installed. Select Namespace to install your operator in the namespace specified in the deployment yaml files. |
+ |Operator type | Leave at default. <br>This parameter specifies the type of the operator - by default, set as flux. |
+ |Operator params | Leave this blank. <br>This parameter contains parameters to pass to the flux operator. |
+ |Helm | Set this parameter to **Disabled**. <br>Enable this option if you will do chart-based deployments. |
![Add configuration](media/azure-stack-edge-gpu-connect-powershell-interface/add-configuration-1.png)
@@ -132,7 +132,7 @@ The deployment via the GitOps configuration creates a `demotestguestbook` namesp
[10.128.44.240]: PS> ```
-1. In this example, the frontend service was deployed as type:LoadBalancer. You will need to find the IP address of this service to view the guestbook. Run the following command.
+1. In this example, the frontend service was deployed as type:LoadBalancer. You will need to find the IP address of this service to view the `guestbook`. Run the following command.
`kubectl get service -n <your-namespace>`
@@ -145,13 +145,13 @@ The deployment via the GitOps configuration creates a `demotestguestbook` namesp
redis-slave ClusterIP 10.104.215.146 <none> 6379/TCP 85m [10.128.44.240]: PS> ```
-1. The frontend service of `type:LoadBalancer` has an external IP address. This IP is from the IP address range that you specified for external services when configuring the Compute network settings on the device. Use this IP address to view the guestbook at URL: `https://<external-IP-address>`.
+1. The frontend service of `type:LoadBalancer` has an external IP address. This IP is from the IP address range that you specified for external services when configuring the Compute network settings on the device. Use this IP address to view the `guestbook` at URL: `https://<external-IP-address>`.
![View guestbook](media/azure-stack-edge-gpu-connect-powershell-interface/view-guestbook-1.png) ## Delete deployment
-To delete the deployment, you can delete the configuration from the Azure portal. This would delete the objects created including deployments and services.
+To delete the deployment, you can delete the configuration from the Azure portal. Deleting the configuration will delete the objects that were created, including deployments and services.
1. In the Azure portal, go the Azure Arc resource > Configurations. 1. Locate the configuration you want to delete. Select the ... to invoke the context menu and select **Delete**.
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-gpu-deploy-virtual-machine-custom-script-extension https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-deploy-virtual-machine-custom-script-extension.md a/articles/databox-online/azure-stack-edge-gpu-deploy-virtual-machine-custom-script-extension.md
@@ -7,7 +7,7 @@
Previously updated : 01/05/2021 Last updated : 01/25/2021 #Customer intent: As an IT admin, I need to understand how to create and manage virtual machines (VMs) on my Azure Stack Edge Pro device using APIs so that I can efficiently manage my VMs.
@@ -28,7 +28,7 @@ The Custom Script Extension integrates with Azure Resource Manager templates. Yo
#### Supported OS for Custom Script Extension on Windows
-The Custom Script Extension for Windows will run on the following OSs. Other versions may work but have not been tested in-house on VMs running on Azure Stack Edge Pro devices.
+The Custom Script Extension for Windows will run on the following OSs. Other versions may work but haven't been tested in-house on VMs running on Azure Stack Edge Pro devices.
| Distribution | Version | |||
@@ -37,7 +37,7 @@ The Custom Script Extension for Windows will run on the following OSs. Other ver
#### Supported OS for Custom Script Extension on Linux
-The Custom Script Extension for Linux will run on the following OSs. Other versions may work but have not been tested in-house on VMs running on Azure Stack Edge Pro devices.
+The Custom Script Extension for Linux will run on the following OSs. Other versions may work but haven't been tested in-house on VMs running on Azure Stack Edge Pro devices.
| Distribution | Version | |||
@@ -59,13 +59,13 @@ If your script is on a local server, then you may still need additional firewall
## Prerequisites
-1. [Download the VM templates and parameters files](https://aka.ms/ase-vm-templates) to your client machine. Unzip it into a directory youΓÇÖll use as a working directory.
+1. [Download the VM templates and parameters files](https://aka.ms/ase-vm-templates) to your client machine. Unzip the download into a directory youΓÇÖll use as a working directory.
-1. You should have a VM created and deployed on your device. To create VMs, follow all the steps in the [Deploy VM on your Azure Stack Edge Pro using templates](azure-stack-edge-gpu-deploy-virtual-machine-templates.md).
+1. You should have a VM created and deployed on your device. To create VMs, follow all the steps in [Deploy VM on your Azure Stack Edge Pro using templates](azure-stack-edge-gpu-deploy-virtual-machine-templates.md).
- If you need to download a script externally such as from GitHub or Azure Storage, while configuring compute network, enable the port that is connected to the Internet, for compute. This allows you to download the script.
+ If you need to download a script such as from GitHub or Azure Storage externally, while configuring compute network, enable the port that is connected to the Internet for compute. This allows you to download the script.
- Here is an example where Port 2 was connected to the internet and was used to enable the compute network. If you've identified that Kubernetes is not needed in the earlier step, you can skip the Kubernetes node IP and external service IP assignment.
+ In the following example, Port 2 was connected to the internet and was used to enable the compute network. If you identified that Kubernetes isn't needed in the earlier step, you can skip the Kubernetes node IP and external service IP assignment.
![Enable compute settings on port connected to internet](media/azure-stack-edge-gpu-deploy-gpu-virtual-machine/enable-compute-network-1.png)
@@ -112,7 +112,7 @@ The file `addCSExtWindowsVM.parameters.json` takes the following parameters:
``` Provide your VM name, name for the extension and the command that you want to execute.
-Here is a sample parameter file that was used in this article.
+Here's the sample parameter file that was used in this article.
```powershell {
@@ -155,7 +155,7 @@ New-AzureRmResourceGroupDeployment -ResourceGroupName $RGName -TemplateFile $tem
> [!NOTE] > The extension deployment is a long running job and takes about 10 minutes to complete.
-Here is a sample output:
+Here's a sample output:
```powershell PS C:\WINDOWS\system32> $templateFile = "C:\12-09-2020\ExtensionTemplates\addCSExtensiontoVM.json"
@@ -193,7 +193,7 @@ To check the deployment state of extensions for a given VM, run the following co
```powershell Get-AzureRmVMExtension -ResourceGroupName <Name of resource group> -VMName <Name of VM> -Name <Name of the extension> ```
-Here is a sample output:
+Here's a sample output:
```powershell PS C:\WINDOWS\system32> Get-AzureRmVMExtension -ResourceGroupName myasegpuvm1 -VMName VM5 -Name CustomScriptExtension
@@ -278,7 +278,7 @@ The file `addCSExtLinuxVM.parameters.json` takes the following parameters:
``` Provide your VM name, name for the extension and the command that you want to execute.
-Here is a sample parameter file that was used in this article:
+Here's a sample parameter file that was used in this article:
```powershell $templateFile = "<Path to addCSExtensionToVM.json file>"
@@ -290,7 +290,7 @@ New-AzureRmResourceGroupDeployment -ResourceGroupName $RGName -TemplateFile $tem
> [!NOTE] > The extension deployment is a long running job and takes about 10 minutes to complete.
-Here is a sample output:
+Here's a sample output:
```powershell PS C:\WINDOWS\system32> $templateFile = "C:\12-09-2020\ExtensionTemplates\addCSExtensionToVM.json"
@@ -339,7 +339,7 @@ Template deployment is a long running job. To check the deployment state of exte
```powershell Get-AzureRmVMExtension -ResourceGroupName myResourceGroup -VMName <VM Name> -Name <Extension Name> ```
-Here is a sample output:
+Here's a sample output:
```powershell PS C:\WINDOWS\system32> Get-AzureRmVMExtension -ResourceGroupName myasegpuvm1 -VMName VM5 -Name CustomScriptExtension
@@ -378,7 +378,7 @@ To remove the Custom Script Extension, use the following command:
`Remove-AzureRmVMExtension -ResourceGroupName <Resource group name> -VMName <VM name> -Name <Extension name>`
-Here is a sample output:
+Here's a sample output:
```powershell PS C:\WINDOWS\system32> Remove-AzureRmVMExtension -ResourceGroupName myasegpuvm1 -VMName VM6 -Name LinuxCustomScriptExtension
@@ -393,4 +393,4 @@ RequestId IsSuccessStatusCode StatusCode ReasonPhrase
## Next steps
-[Azure Resource Manager cmdlets](/powershell/module/azurerm.resources/?view=azurermps-6.13.0)
+[Azure Resource Manager cmdlets](/powershell/module/azurerm.resources/?view=azurermps-6.13.0&preserve-view=true)
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-gpu-deploy-virtual-machine-powershell https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-deploy-virtual-machine-powershell.md a/articles/databox-online/azure-stack-edge-gpu-deploy-virtual-machine-powershell.md
@@ -1,20 +1,20 @@
Title: Deploy VMs on your Azure Stack Edge Pro GPU device via Azure PowerShell
-description: Describes how to create and manage virtual machines (VMs) on a Azure Stack Edge Pro GPU device using Azure PowerShell.
+description: Describes how to create and manage virtual machines (VMs) on an Azure Stack Edge Pro GPU device using Azure PowerShell.
Previously updated : 12/23/2020 Last updated : 01/22/2021 #Customer intent: As an IT admin, I need to understand how to create and manage virtual machines (VMs) on my Azure Stack Edge Pro device using APIs so that I can efficiently manage my VMs. # Deploy VMs on your Azure Stack Edge Pro GPU device via Azure PowerShell
-This article describes how to create and manage a VM on your Azure Stack Edge Pro device using Azure PowerShell. This article applies to Azure Stack Edge Pro GPU, Azure Stack Edge Pro R and Azure Stack Edge Mini R devices.
+This article describes how to create and manage a VM on your Azure Stack Edge Pro device using Azure PowerShell. This article applies to Azure Stack Edge Pro GPU, Azure Stack Edge Pro R, and Azure Stack Edge Mini R devices.
## VM deployment workflow
@@ -27,14 +27,14 @@ The deployment workflow is illustrated in the following diagram.
[!INCLUDE [azure-stack-edge-gateway-deploy-vm-prerequisites](../../includes/azure-stack-edge-gateway-deploy-virtual-machine-prerequisites.md)]
-## Query for built in subscription on the device
+## Query for built-in subscription on the device
-For Azure Resource Manager, only a single user-visible fixed subscription is supported. This subscription is unique per device and this subscription name or subscription ID cannot be changed.
+For Azure Resource Manager, only a single user-visible fixed subscription is supported. This subscription is unique per device, and the subscription name or subscription ID cannot be changed.
This subscription contains all the resources that are created required for VM creation. > [!IMPORTANT]
-> This subscription is created when you enable VMs from the Azure portal and it lives locally on your device .
+> This subscription is created when you enable VMs from the Azure portal, and it lives locally on your device.
This subscription is used to deploy the VMs.
@@ -115,7 +115,7 @@ Successfully created Resource Group:rg191113014333
## Create a storage account
-Create a new storage account using the resource group created in the previous step. This is a **local storage account** that will be used to upload the virtual disk image for the VM.
+Create a new storage account using the resource group created in the previous step. This account is a **local storage account** that will be used to upload the virtual disk image for the VM.
```powershell New-AzureRmStorageAccount -Name <Storage account name> -ResourceGroupName <Resource group name> -Location DBELocal -SkuName Standard_LRS
@@ -174,7 +174,7 @@ key2 gd34TcaDzDgsY9JtDNMUgLDOItUU0Qur3CBo6Q...
## Add blob URI to hosts file
-You already added the blob URI in hosts file for the client that you are using to connect to Blob storage in the section [Modify host file for endpoint name resolution](azure-stack-edge-j-series-connect-resource-manager.md#step-5-modify-host-file-for-endpoint-name-resolution). This was the entry for the blob URI:
+You already added the blob URI in the hosts file for the client that you are using to connect to Blob storage in the section [Modify host file for endpoint name resolution](azure-stack-edge-j-series-connect-resource-manager.md#step-5-modify-host-file-for-endpoint-name-resolution). This entry was used to add the blob URI:
\<Azure consistent network services VIP \> \<storage name\>.blob.\<appliance name\>.\<dnsdomain\>
@@ -253,7 +253,7 @@ $DiskConfig = New-AzureRmDiskConfig -Location DBELocal -CreateOption Import ΓÇôS
New-AzureRMDisk -ResourceGroupName <Resource group name> -DiskName <Disk name> -Disk $DiskConfig ```
-A sample output is shown below. For more information on this cmdlet, go to [New-AzureRmDisk](/powershell/module/azurerm.compute/new-azurermdisk?view=azurermps-6.13.0).
+A sample output is shown below. For more information on this cmdlet, go to [New-AzureRmDisk](/powershell/module/azurerm.compute/new-azurermdisk?view=azurermps-6.13.0&preserve-view=true).
```powershell Tags :
@@ -293,7 +293,7 @@ Set-AzureRmImageOsDisk -Image $imageConfig -OsType 'Linux' -OsState 'Generalized
New-AzureRmImage -Image $imageConfig -ImageName <Image name> -ResourceGroupName <Resource group name> ```
-A sample output is shown below. For more information on this cmdlet, go to [New-AzureRmImage](/powershell/module/azurerm.compute/new-azurermimage?view=azurermps-6.13.0).
+A sample output is shown below. For more information on this cmdlet, go to [New-AzureRmImage](/powershell/module/azurerm.compute/new-azurermimage?view=azurermps-6.13.0&preserve-view=true).
```powershell New-AzureRmImage -Image Microsoft.Azure.Commands.Compute.Automation.Models.PSImage -ImageName ig191113014333 -ResourceGroupName rg191113014333
@@ -316,8 +316,8 @@ You must create one virtual network and associate a virtual network interface be
> [!IMPORTANT] > While creating virtual network and virtual network interface, the following rules apply: > - Only one Vnet can be created (even across resource groups) and it must match exactly with the logical network in terms of the address space.
-> - Only one subnet will be allowed in the Vnet. The subnet must be the exact same address space as the Vnet.
-> - Only static allocation method will be allowed during Vnic creation and user needs to provide a private IP address.
+> - Only one subnet will be allowed in the Vnet. The subnet must be the exact same address space as the Vnet.
+> - Only static allocation method will be allowed during Vnic creation and user needs to provide a private IP address.
**Query the automatically created Vnet**
@@ -496,7 +496,7 @@ Run the following cmdlet to turn on a virtual machine running on your device:
`Start-AzureRmVM [-Name] <String> [-ResourceGroupName] <String>`
-For more information on this cmdlet, go to [Start-AzureRmVM](/powershell/module/azurerm.compute/start-azurermvm?view=azurermps-6.13.0).
+For more information on this cmdlet, go to [Start-AzureRmVM](/powershell/module/azurerm.compute/start-azurermvm?view=azurermps-6.13.0&preserve-view=true).
### Suspend or shut down the VM
@@ -508,7 +508,7 @@ Stop-AzureRmVM [-Name] <String> [-StayProvisioned] [-ResourceGroupName] <String>
```
-For more information on this cmdlet, go to [Stop-AzureRmVM cmdlet](/powershell/module/azurerm.compute/stop-azurermvm?view=azurermps-6.13.0).
+For more information on this cmdlet, go to [Stop-AzureRmVM cmdlet](/powershell/module/azurerm.compute/stop-azurermvm?view=azurermps-6.13.0&preserve-view=true).
### Add a data disk
@@ -528,10 +528,10 @@ Run the following cmdlet to remove a virtual machine from your device:
Remove-AzureRmVM [-Name] <String> [-ResourceGroupName] <String> ```
-For more information on this cmdlet, go to [Remove-AzureRmVm cmdlet](/powershell/module/azurerm.compute/remove-azurermvm?view=azurermps-6.13.0).
+For more information on this cmdlet, go to [Remove-AzureRmVm cmdlet](/powershell/module/azurerm.compute/remove-azurermvm?view=azurermps-6.13.0&preserve-view=true).
## Next steps
-[Azure Resource Manager cmdlets](/powershell/module/azurerm.resources/?view=azurermps-6.13.0)
\ No newline at end of file
+[Azure Resource Manager cmdlets](/powershell/module/azurerm.resources/?view=azurermps-6.13.0&preserve-view=true)
\ No newline at end of file
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-gpu-deploy-virtual-machine-templates https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-gpu-deploy-virtual-machine-templates.md a/articles/databox-online/azure-stack-edge-gpu-deploy-virtual-machine-templates.md
@@ -7,7 +7,7 @@
Previously updated : 11/16/2020 Last updated : 01/25/2021 #Customer intent: As an IT admin, I need to understand how to create and manage virtual machines (VMs) on my Azure Stack Edge Pro device using APIs so that I can efficiently manage my VMs.
@@ -26,7 +26,7 @@ To deploy Azure Stack Edge Pro VMs across many device, you can use a single sysp
The high level summary of the deployment workflow using templates is as follows:
-1. **Configure prerequisites** - There are 3 types of prerequisites; device, client, and for the VM.
+1. **Configure prerequisites** - There are three types of prerequisites: device, client, and for the VM.
1. **Device prerequisites**
@@ -44,7 +44,7 @@ The high level summary of the deployment workflow using templates is as follows:
1. Create a resource group in the device location that will contain all the VM resources. 1. Create a storage account to upload the VHD used to create VM image. 1. Add local storage account URI to DNS or hosts file on the client accessing your device.
- 1. Install the blob storage certificate on the device as well as on the local client accessing your device. Optionally install the blob storage certificate on the Storage Explorer.
+ 1. Install the blob storage certificate on the device and on the local client accessing your device. Optionally install the blob storage certificate on the Storage Explorer.
1. Create and upload a VHD to the storage account created earlier. 2. **Create VM from templates**
@@ -68,7 +68,7 @@ Configure these prerequisites on your client that will be used to access the Azu
## VM prerequisites
-Configure these prerequisites to create resources which will be needed for VM creation.
+Configure these prerequisites to create the resources needed for VM creation.
### Create a resource group
@@ -98,7 +98,7 @@ PS C:\windows\system32>
### Create a storage account
-Create a new storage account using the resource group created in the previous step. This is a **local storage account** that will be used to upload the virtual disk image for the VM.
+Create a new storage account using the resource group created in the previous step. This account is a **local storage account** that will be used to upload the virtual disk image for the VM.
```powershell New-AzureRmStorageAccount -Name <Storage account name> -ResourceGroupName <Resource group name> -Location DBELocal -SkuName Standard_LRS
@@ -192,7 +192,7 @@ Copy any disk images to be used into page blobs in the local storage account tha
7. Review the **Connection summary** and select **Connect**.
-8. The storage account appears in the left-pane. Select and expand the storage account. Select **Blob containers**, right-click and select **Create Blob Container**. Provide a name for your blob container.
+8. The storage account appears in the left-pane. Select and expand the storage account. Select **Blob containers**, right-click, and select **Create Blob Container**. Provide a name for your blob container.
9. Select the container you just created and in the right-pane, select **Upload > Upload files**.
@@ -206,7 +206,7 @@ Copy any disk images to be used into page blobs in the local storage account tha
![Upload VHD file 3](media/azure-stack-edge-gpu-deploy-virtual-machine-templates/upload-vhd-file-3.png)
-12. Copy and save the **Uri** as you will use this in the later steps.
+12. Copy and save the **Uri**, which you will use in later steps.
![Copy URI](media/azure-stack-edge-gpu-deploy-virtual-machine-templates/copy-uri-1.png)
@@ -234,7 +234,7 @@ The file `CreateImage.parameters.json` takes the following parameters:
} ```
-Edit the file `CreateImage.parameters.json` to include the following for your Azure Stack Edge Pro device:
+Edit the file `CreateImage.parameters.json` to include the following values for your Azure Stack Edge Pro device:
1. Provide the OS type corresponding to the VHD you will upload. The OS type can be Windows or Linux.
@@ -247,16 +247,17 @@ Edit the file `CreateImage.parameters.json` to include the following for your Az
2. Change the image URI to the URI of the image you uploaded in the earlier step:
- ```json
- "imageUri": {
- "value": "https://myasegpusavm.blob.myasegpu1.wdshcsso.com/windows/WindowsServer2016Datacenter.vhd"
- },
- ```
- If youΓÇÖre using *http* with Storage Explorer, change this to an *http* URI.
+ ```json
+ "imageUri": {
+ "value": "https://myasegpusavm.blob.myasegpu1.wdshcsso.com/windows/WindowsServer2016Datacenter.vhd"
+ },
+ ```
+
+ If youΓÇÖre using *http* with Storage Explorer, change the URI to an *http* URI.
3. Provide a unique image name. This image is used to create VM in the later steps.
- Here is a sample json that is used in this article.
+ Here is a sample json that is used in this article.
```json {
@@ -275,6 +276,7 @@ Edit the file `CreateImage.parameters.json` to include the following for your Az
} } ```+ 5. Save the parameters file.
@@ -585,4 +587,4 @@ Follow these steps to connect to a Linux VM.
## Next steps
-[Azure Resource Manager cmdlets](/powershell/module/azurerm.resources/?view=azurermps-6.13.0)
\ No newline at end of file
+[Azure Resource Manager cmdlets](/powershell/module/azurerm.resources/?view=azurermps-6.13.0&preserve-view=true)
\ No newline at end of file
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-j-series-connect-resource-manager https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-j-series-connect-resource-manager.md a/articles/databox-online/azure-stack-edge-j-series-connect-resource-manager.md
@@ -7,7 +7,7 @@
Previously updated : 08/28/2020 Last updated : 01/25/2021 #Customer intent: As an IT admin, I need to understand how to connect to Azure Resource Manager on my Azure Stack Edge Pro device so that I can manage resources.
@@ -135,9 +135,9 @@ Your Windows client must meet the following prerequisites:
Compare the **Major** version and ensure that it is 5.0 or later.
- If you have an outdated version, see [Upgrading existing Windows PowerShell](/powershell/scripting/install/installing-windows-powershell?view=powershell-6#upgrading-existing-windows-powershell).
+ If you have an outdated version, see [Upgrading existing Windows PowerShell](/powershell/scripting/install/installing-windows-powershell?view=powershell-6&preserve-view=true#upgrading-existing-windows-powershell).
- If you don\'t have PowerShell 5.0, follow [Installing Windows PowerShell](/powershell/scripting/install/installing-windows-powershell?view=powershell-6).
+ If you don\'t have PowerShell 5.0, follow [Installing Windows PowerShell](/powershell/scripting/install/installing-windows-powershell?view=powershell-6&preserve-view=true).
A sample output is shown below.
@@ -153,7 +153,7 @@ Your Windows client must meet the following prerequisites:
2. You can access the PowerShell Gallery.
- Run PowerShell as administrator. Verify if the PSGallery is registered as a repository.
+ Run PowerShell as administrator. Verify if the `PSGallery` is registered as a repository.
```powershell Import-Module -Name PowerShellGet -ErrorAction Stop
@@ -172,7 +172,7 @@ Your Windows client must meet the following prerequisites:
PSGallery Trusted https://www.powershellgallery.com/api/v2 ```
-If your repository is not trusted or you need more information, see [Validate the PowerShell Gallery accessibility](/azure-stack/operator/azure-stack-powershell-install?view=azs-1908#2-validate-the-powershell-gallery-accessibility).
+If your repository is not trusted or you need more information, see [Validate the PowerShell Gallery accessibility](/azure-stack/operator/azure-stack-powershell-install?view=azs-1908&preserve-view=true&preserve-view=true#2-validate-the-powershell-gallery-accessibility).
## Step 4: Set up Azure PowerShell on the client
@@ -324,7 +324,7 @@ Set the Azure Resource Manager environment and verify that your device to client
Set-AzureRMEnvironment -Name <Environment Name> ```
- For more information, go to [Set-AzureRMEnvironment](/powershell/module/azurerm.profile/set-azurermenvironment?view=azurermps-6.13.0).
+ For more information, go to [Set-AzureRMEnvironment](/powershell/module/azurerm.profile/set-azurermenvironment?view=azurermps-6.13.0&preserve-view=true).
- Define the environment inline for every cmdlet that you execute. This ensures that all the API calls are going through the correct environment. By default, the calls would go through the Azure public but you want these to go through the environment that you set for Azure Stack Edge Pro device.
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-j-series-deploy-stateless-application-kubernetes https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-j-series-deploy-stateless-application-kubernetes.md a/articles/databox-online/azure-stack-edge-j-series-deploy-stateless-application-kubernetes.md
@@ -7,7 +7,7 @@
Previously updated : 08/28/2020 Last updated : 01/22/2021
@@ -21,7 +21,7 @@ Before you can create a Kubernetes cluster and use the `kubectl` command-line to
- You have sign-in credentials to a 1-node Azure Stack Edge Pro device. -- Windows PowerShell 5.0 or later is installed on a Windows client system to access the Azure Stack Edge Pro device. You can have any other client with a Supported operating system as well. This article describes the procedure when using a Windows client. To download the latest version of Windows PowerShell, go to [Installing Windows PowerShell](/powershell/scripting/install/installing-windows-powershell?view=powershell-7).
+- Windows PowerShell 5.0 or later is installed on a Windows client system to access the Azure Stack Edge Pro device. You can have any other client with a Supported operating system as well. This article describes the procedure when using a Windows client. To download the latest version of Windows PowerShell, go to [Installing Windows PowerShell](/powershell/scripting/install/installing-windows-powershell?view=powershell-7&preserve-view=true).
- Compute is enabled on the Azure Stack Edge Pro device. To enable compute, go to the **Compute** page in the local UI of the device. Then select a network interface that you want to enable for compute. Select **Enable**. Enabling compute results in the creation of a virtual switch on your device on that network interface. For more information, see [Enable compute network on your Azure Stack Edge Pro](azure-stack-edge-gpu-deploy-configure-network-compute-web-proxy.md).
@@ -51,7 +51,7 @@ To check the version of `kubectl`:
kubectl version ```
- Here is an example of the output:
+ An example of the output is shown below:
```powershell PS C:\WINDOWS\system32> C:\windows\system32\kubectl.exe version
@@ -59,7 +59,7 @@ To check the version of `kubectl`:
Server Version: version.Info{Major:"1", Minor:"15", GitVersion:"v1.15.1", GitCommit:"4485c6f18cee9a5d3c3b4e523bd27972b1b53892", GitTreeState:"clean", BuildDate:"2019-07-18T09:09:21Z", GoVersion:"go1.12.5", Compiler:"gc", Platform:"linux/amd64"} ```
- In this case the client version of kubectl is v1.15.2 and is compatible to proceed.
+ In this case, the client version of kubectl is v1.15.2 and is compatible to continue.
2. Get a list of the pods running on your Kubernetes cluster. A pod is an application container, or process, running on your Kubernetes cluster.
@@ -67,7 +67,7 @@ To check the version of `kubectl`:
kubectl get pods -n <namespace-string> ```
- Here is an example of command usage:
+ An example of command usage is shown below:
```powershell PS C:\WINDOWS\system32> kubectl get pods -n "test1"
@@ -99,7 +99,7 @@ To check the version of `kubectl`:
### Create a stateless application using a deployment
-Now that you have verified that the kubectl command-line version is correct and have the required configuration files, you can create a stateless application deployment.
+Now that you've verified that the kubectl command-line version is correct and you have the required configuration files, you can create a stateless application deployment.
A pod is the basic execution unit of a Kubernetes application, the smallest and simplest unit in the Kubernetes object model that you create or deploy. A pod also encapsulates storage resources, a unique network IP, and options that govern how the container(s) should run.
@@ -119,7 +119,7 @@ Follow these steps to create an nginx deployment:
In this example, the path to the application YAML file is an external source.
- Here is a sample usage of the command and output:
+ Here is a sample use of the command and its output:
```powershell PS C:\WINDOWS\system32> kubectl apply -f https://k8s.io/examples/application/deployment.yaml -n "test1"
@@ -127,7 +127,7 @@ Follow these steps to create an nginx deployment:
deployment.apps/nginx-deployment created ```
- Alternatively, you can save the following markdown to your local machine and substitute the path and filename in the *-f* parameter. For instance, "C:\Kubernetes\deployment.yaml". Here is the configuration for the application deployment:
+ Alternatively, you can save the following markdown to your local machine and substitute the path and filename in the *-f* parameter. For instance, "C:\Kubernetes\deployment.yaml". The configuration for the application deployment would be:
```markdown apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
@@ -159,7 +159,7 @@ Follow these steps to create an nginx deployment:
kubectl describe deployment nginx-deployment -n <namespace-string> ```
- Here is sample usage of the command and output:
+ A sample use of the command, with output, is shown below:
```powershell PS C:\Users\user> kubectl describe deployment nginx-deployment -n "test1"
@@ -199,13 +199,13 @@ Follow these steps to create an nginx deployment:
Normal ScalingReplicaSet 2m22s deployment-controller Scaled up replica set nginx-deployment-5754944d6c to 2 ```
- If you look closely at the *replicas* setting, you will see:
+ For the *replicas* setting, you will see:
```powershell Replicas: 2 desired | 2 updated | 2 total | 2 available | 0 unavailable ```
- The *replicas* setting indicates that your deployment specification required two pods, that those pods where created and updated, and that they are ready for you to use.
+ The *replicas* setting indicates that your deployment specification requires two pods, and that those pods were created and updated and are ready for you to use.
> [!NOTE] > A replica set replaces pods that are deleted or terminated for any reason, such as in the case of device node failure or a disruptive device upgrade. For this reason, we recommend that you use a replica set even if your application requires only a single pod.
@@ -216,7 +216,7 @@ Follow these steps to create an nginx deployment:
kubectl get pods -l app=nginx -n <namespace-string> ```
- Here is sample usage of the command and output:
+ A sample use of the command, with output, is shown below:
```powershell PS C:\Users\user> kubectl get pods -l app=nginx -n "test1"
@@ -234,7 +234,7 @@ Follow these steps to create an nginx deployment:
kubectl describe pod <podname-string> -n <namespace-string> ```
- Here is sample usage of the command and output:
+ A sample use of the command, with output, is shown below:
```powershell PS C:\Users\user> kubectl describe pod "nginx-deployment-5754944d6c-7wqjd" -n "test1"
@@ -291,14 +291,14 @@ Follow these steps to create an nginx deployment:
### Rescale the application deployment by increasing the replica count
-Each pod is meant to run a single instance of a given application. If you want to scale your application horizontally to run multiple instances, you can increase the number of pods, one for each instance. In Kubernetes, this is referred to as replication.
+Each pod is meant to run a single instance of a given application. If you want to scale your application horizontally to run multiple instances, you can increase the number of pods to one for each instance. In Kubernetes, this is referred to as replication.
You can increase the number of pods in your application deployment by applying a new YAML file. The YAML file changes the replicas setting to 4, which increases the number of pods in your deployment to four pods. To increase the number of pods from 2 to 4: ```powershell PS C:\WINDOWS\system32> kubectl apply -f https://k8s.io/examples/application/deployment-scale.yaml -n "test1" ```
-Alternatively, you can save the following markdown on your local machine and substitute the path and filename for the *-f* parameter for `kubectl apply`. For instance, "C:\Kubernetes\deployment-scale.yaml". Here is the configuration for the application deployment scale:
+Alternatively, you can save the following markdown on your local machine and substitute the path and filename for the *-f* parameter for `kubectl apply`. For instance, "C:\Kubernetes\deployment-scale.yaml". The configuration for the application deployment scale would be:
```markdown apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
@@ -328,7 +328,7 @@ To verify that the deployment has four pods:
kubectl get pods -l app=nginx ```
-Here is example output for a rescaling deployment from two to four pods:
+Example output for a rescaling deployment from two to four pods is shown below:
```powershell PS C:\WINDOWS\system32> kubectl get pods -l app=nginx
@@ -350,7 +350,7 @@ To delete the deployment, including all the pods, you need to run `kubectl delet
kubectl delete deployment nginx-deployment -n <namespace-string> ```
-Here is an example of command usage and output:
+An example of command usage, with output, is shown below:
```powershell PS C:\Users\user> kubectl delete deployment nginx-deployment -n "test1"
databox-online https://docs.microsoft.com/en-us/azure/databox-online/azure-stack-edge-j-series-deploy-virtual-machine-cli-python https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/azure-stack-edge-j-series-deploy-virtual-machine-cli-python.md a/articles/databox-online/azure-stack-edge-j-series-deploy-virtual-machine-cli-python.md
@@ -1,13 +1,13 @@
Title: Deploy VMs on your Azure Stack Edge Pro device GPU via Azure CLI and Python
-description: Describes how to create and manage virtual machines (VMs) on a Azure Stack Edge Pro GPU device using Azure CLI and Python.
+description: Describes how to create and manage virtual machines (VMs) on an Azure Stack Edge Pro GPU device using Azure CLI and Python.
Previously updated : 09/07/2020 Last updated : 01/22/2021 #Customer intent: As an IT admin, I need to understand how to create and manage virtual machines (VMs) on my Azure Stack Edge Pro device using APIs so that I can efficiently manage my VMs.
@@ -26,7 +26,7 @@ The deployment workflow is illustrated in the following diagram.
![VM deployment workflow](media/azure-stack-edge-gpu-deploy-virtual-machine-powershell/vm-workflow-r.svg)
-The high level summary of the deployment workflow are as follows:
+The high-level summary of the deployment workflow is as follows:
1. Connect to Azure Resource Manager 2. Create a resource group
@@ -67,9 +67,9 @@ Before you begin creating and managing a VM on your Azure Stack Edge Pro device
3. You created and installed all the certificates on your Azure Stack Edge Pro device and in the trusted store of your client. Follow the procedure described in [Step 2: Create and install certificates](azure-stack-edge-j-series-connect-resource-manager.md#step-2-create-and-install-certificates).
-4. You created a Base-64 encoded *.cer* certificate (PEM format) for your Azure Stack Edge Pro device. This is already uploaded as signing chain on the device and installed in the trusted root store on your client. This certificate is also required in *pem* format for Python to work on this client.
+4. You created a Base-64 encoded *.cer* certificate (PEM format) for your Azure Stack Edge Pro device. That certificate is already uploaded as signing chain on the device and installed in the trusted root store on your client. This certificate is also required in *pem* format for Python to work on this client.
- Convert this certificate to pem format by using the `certutil` command. You must run this command in the directory that contains your certificate.
+ Convert this certificate to `pem` format by using the `certutil` command. You must run this command in the directory that contains your certificate.
```powershell certutil.exe <SourceCertificateName.cer> <DestinationCertificateName.pem>
@@ -83,9 +83,9 @@ Before you begin creating and managing a VM on your Azure Stack Edge Pro device
CertUtil: -encode command completed successfully. PS C:\Certificates> ```
- You will also add this pem to the Python store later.
+ You will also add this `pem` to the Python store later.
-5. You assigned the device IP in your **Network** page in the local web UI of device. You need to add this IP to:
+5. You assigned the device IP in your **Network** page in the local web UI of device. Add this IP to:
- The host file on the client, OR, - The DNS server configuration
@@ -114,11 +114,11 @@ Before you begin creating and managing a VM on your Azure Stack Edge Pro device
### Verify profile and install Azure CLI
-<!--1. Verify the API profile of the client and identify which version of the modules and libraries to include on your client. In this example, the client system will be running Azure Stack 1904 or later. For more information, see [Azure Resource Manager API profiles](/azure-stack/user/azure-stack-version-profiles?view=azs-1908#azure-resource-manager-api-profiles).-->
+<!--1. Verify the API profile of the client and identify which version of the modules and libraries to include on your client. In this example, the client system will be running Azure Stack 1904 or later. For more information, see [Azure Resource Manager API profiles](/azure-stack/user/azure-stack-version-profiles?view=azs-1908&preserve-view=true#azure-resource-manager-api-profiles).-->
1. Install Azure CLI on your client. In this example, Azure CLI 2.0.80 was installed. To verify the version of Azure CLI, run the `az --version` command.
- The following is a sample output of the above command:
+ The following is sample output from the above command:
```output PS C:\windows\system32> az --version
@@ -146,7 +146,7 @@ Before you begin creating and managing a VM on your Azure Stack Edge Pro device
If you do not have Azure CLI, download and [Install Azure CLI on Windows](/cli/azure/install-azure-cli-windows). You can run Azure CLI using Windows command prompt or through Windows PowerShell.
-2. Make a note of the CLI's Python location. You need this to determine the location of trusted root certificate store for Azure CLI.
+2. Make a note of the CLI's Python location. You need the Python location to determine the location of the trusted root certificate store for Azure CLI.
3. To run the sample script used in this article, you will need the following Python library versions:
@@ -200,7 +200,7 @@ Before you begin creating and managing a VM on your Azure Stack Edge Pro device
1. Find the certificate location on your machine. The location may vary depending on where you installed `az cli`. Run Windows PowerShell as administrator. Switch to the path where `az cli` installed Python: `C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\python.exe`.
- To get the certificate location type the following command:
+ To get the certificate location, type the following command:
```powershell .\python -c "import certifi; print(certifi.where())"
@@ -263,7 +263,7 @@ Before you begin creating and managing a VM on your Azure Stack Edge Pro device
$ENV:ADAL_PYTHON_SSL_NO_VERIFY = 1 ```
-2. Set environment variables for the script for Azure Resource Manager endpoint, location where the resources are created and the path to where the source VHD is located. The location for the resources is fixed across all the Azure Stack Edge Pro devices and is set to `dbelocal`. You also need to specify the address prefixes and private IP address. All the following environment variables are values based on your values with the exception of `AZURE_RESOURCE_LOCATION`, which should be hardcoded to `"dbelocal"`.
+2. Set environment variables for the script for Azure Resource Manager endpoint, location where the resources are created and the path to where the source VHD is located. The location for the resources is fixed across all the Azure Stack Edge Pro devices and is set to `dbelocal`. You also need to specify the address prefixes and private IP address. All the following environment variables are values based on your values except for `AZURE_RESOURCE_LOCATION`, which should be hardcoded to `"dbelocal"`.
```powershell $ENV:ARM_ENDPOINT = "https://management.team3device.teatraining1.com"
@@ -316,9 +316,9 @@ Before you begin creating and managing a VM on your Azure Stack Edge Pro device
```powershell PS C:\Certificates> az login -u EdgeARMuser ```
- After using the login command you are prompted for a password. Provide the Azure Resource Manager password.
+ After using the login command, you are prompted for a password. Provide the Azure Resource Manager password.
- The following shows sample output for a successful sign in after supplying the password:
+ The following shows sample output for a successful sign-in after supplying the password:
```output PS C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2> az login -u EdgeARMuser
@@ -339,7 +339,7 @@ Before you begin creating and managing a VM on your Azure Stack Edge Pro device
] PS C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2> ```
- Make a note of the `id` and `tenantId` values as these correspond to your Azure Resource Manager Subscription ID and Azure Resource Manager Tenant ID respectively and will be used in the later step.
+ Make a note of the `id` and `tenantId` values as these values correspond to your Azure Resource Manager Subscription ID and Azure Resource Manager Tenant ID respectively and will be used in the later step.
The following environment variables need to be set to work as *service principal*:
databox-online https://docs.microsoft.com/en-us/azure/databox-online/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox-online/policy-reference.md a/articles/databox-online/policy-reference.md
@@ -1,7 +1,7 @@
Title: Built-in policy definitions for Azure Stack Edge description: Lists Azure Policy built-in policy definitions for Azure Stack Edge. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
databox https://docs.microsoft.com/en-us/azure/databox/data-box-deploy-ordered https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox/data-box-deploy-ordered.md a/articles/databox/data-box-deploy-ordered.md
@@ -227,7 +227,7 @@ Do the following steps in the Azure portal to order a device.
|Source country/region | Select the country/region where your data currently resides. | |Destination Azure region | Select the Azure region where you want to transfer data. <br> For more information, go to [region availability](data-box-overview.md#region-availability). |
- ![Starting an Azure Data Box import order](media/data-box-deploy-ordered/select-data-box-import-04-b.png#lightbox)
+ [ ![Starting an Azure Data Box import order](media/data-box-deploy-ordered/select-data-box-import-04-b.png) ](media/data-box-deploy-ordered/select-data-box-import-04-b.png#lightbox)
5. Select **Data Box**. The maximum usable capacity for a single order is 80 TB. You can create multiple orders for larger data sizes.
databox https://docs.microsoft.com/en-us/azure/databox/data-box-troubleshoot-rest https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox/data-box-troubleshoot-rest.md a/articles/databox/data-box-troubleshoot-rest.md
@@ -7,7 +7,7 @@
Previously updated : 04/19/2019 Last updated : 01/25/2021
@@ -61,6 +61,7 @@ These errors are not specific to any application.
|Error message |Recommended action | ||| |The connection times out. |Sign into the Data Box device and check that it is unlocked. Any time the device restarts, it stays locked until someone signs in.|
+|The REST API authentication fails with the error: Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature. ErrorCode:AuthenticationFailed. |One of the reasons why this could happen is when the device time is not synced with that of Azure. If there is a large time skew, the REST API authentication will break when you are trying to copy data to the Data Box via the REST API. In this situation, you can open the outbound UDP 123 port to allow access to `time.windows.com`. Once the device time is synced with that of Azure, authentication should succeed. |
## Next steps
databox https://docs.microsoft.com/en-us/azure/databox/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/databox/policy-reference.md a/articles/databox/policy-reference.md
@@ -1,7 +1,7 @@
Title: Built-in policy definitions for Azure Data Box description: Lists Azure Policy built-in policy definitions for Azure Data Box. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/getting-started https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/getting-started.md a/articles/defender-for-iot/getting-started.md
@@ -15,7 +15,7 @@ Last updated 12/26/2020
-# Getting started with Defender for IoT
+# Get started with Defender for IoT
This article provides an overview of the steps you'll take to set up Azure Defender for IoT. The process requires that you:
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/how-to-create-attack-vector-reports https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/how-to-create-attack-vector-reports.md new file mode 100644 /dev/null
@@ -0,0 +1,71 @@
+
+ Title: Create attack vector reports
+description: Attack vector reports provide a graphical representation of a vulnerability chain of exploitable devices.
+++ Last updated : 12/17/2020++++
+# Attack vector reporting
+
+## About attack vector reports
+
+Attack vector reports provide a graphical representation of a vulnerability chain of exploitable devices. These vulnerabilities can give an attacker access to key network devices. The Attack Vector Simulator calculates attack vectors in real time and analyzes all attack vectors for a specific target.
+
+Working with the attack vector lets you evaluate the effect of mitigation activities in the attack sequence. You can then determine, for example, if a system upgrade disrupts the attacker's path by breaking the attack chain, or if an alternate attack path remains. This information helps you prioritize remediation and mitigation activities.
+
+:::image type="content" source="media/how-to-generate-reports/control-center.png" alt-text="View your alerts in the control center.":::
+
+> [!NOTE]
+> Administrators and security analysts can perform the procedures described in this section.
+
+## Create an attack vector report
+
+To create an attack vector simulation:
+
+1. Select :::image type="content" source="media/how-to-generate-reports/plus.png" alt-text="Plus sign":::on the side menu to add a Simulation.
+
+ :::image type="content" source="media/how-to-generate-reports/vector.png" alt-text="The attack vector simulation.":::
+
+2. Enter simulation properties:
+
+ - **Name**: Simulation name.
+
+ - **Maximum vectors**: The maximum number of vectors in a single simulation.
+
+ - **Show in Device map**: Show the attack vector as a filter on the device map.
+
+ - **All Source devices**: The attack vector will consider all devices as an attack source.
+
+ - **Attack Source**: The attack vector will consider only the specified devices as an attack source.
+
+ - **All Target devices**: The attack vector will consider all devices as an attack target.
+
+ - **Attack Target**: The attack vector will consider only the specified devices as an attack target.
+
+ - **Exclude devices**: Specified devices will be excluded from the attack vector simulation.
+
+ - **Exclude Subnets**: Specified subnets will be excluded from the attack vector simulation.
+
+3. Select **Add Simulation**. The simulation will be added to the simulations list.
+
+ :::image type="content" source="media/how-to-generate-reports/new-simulation.png" alt-text="Add a new simulation.":::
+
+4. Select :::image type="icon" source="media/how-to-generate-reports/edit-a-simulation-icon.png" border="false"::: if you want to edit the simulation.
+
+ Select :::image type="icon" source="media/how-to-generate-reports/delete-simulation-icon.png" border="false"::: if you want to delete the simulation.
+
+ Select :::image type="icon" source="media/how-to-generate-reports/make-a-favorite-icon.png" border="false"::: if you want to mark the simulation as a favorite.
+
+5. A list of attack vectors appears and includes vector score (out of 100), attack source device, and attack target device. Select a specific attack for graphical depiction of attack vectors.
+
+ :::image type="content" source="media/how-to-generate-reports/sample-attack-vectors.png" alt-text="Attack vectors.":::
+
+## See also
+
+[Attack vector reporting](how-to-create-attack-vector-reports.md)
++
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/how-to-create-data-mining-queries https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/how-to-create-data-mining-queries.md new file mode 100644 /dev/null
@@ -0,0 +1,282 @@
+
+ Title: Create data mining reports
+description: generate comprehensive and granular information about your network devices at various layers, such as protocols, firmware versions, or programming commands.
+++ Last updated : 01/20/2021++++
+# Sensor data mining queries
+
+## About Sensor data mining queries
+
+Data mining tools let you generate comprehensive and granular information about your network devices at various layers. For example, you can create a query based on:
+
+- Time periods
+
+- Connections to the internet
+
+- Ports
+
+- Protocols
+
+- Firmware versions
+
+- Programming commands
+
+- Inactivity of the device
+
+You can fine-tune the report based on filters. For example, you can query a specific subnet in which firmware was updated.
+
+:::image type="content" source="media/how-to-generate-reports/active-device-list-v2.png" alt-text="List of active devices.":::
+
+Various tools are available to manage queries. For example, you can export and save.
+
+> [!NOTE]
+> Administrators and security analysts have access to data-mining options.
+
+### Dynamic updates
+
+Data mining queries that you create are dynamically updated each time you open them. For example:
+
+- If you create a report for firmware versions on devices on June 1 and open the report again on June 10, this report will be updated with information that's accurate for June 10.
+
+- If you create a report to detect new devices discovered over the last 30 days on June 1 and open the report on June 30, the results will be displayed for the last 30 days.
+
+### Data mining use cases
+
+You can use queries to handle an extensive range of security needs for various security teams:
+
+- **SOC incident response**: Generate a report in real time to help deal with immediate incident response. For example, generate a report for a list of devices that might require patching.
+
+- **Forensics**: Generate a report based on historical data for investigative reports.
+
+- **IT Network Integrity**: Generate a report that helps improve overall network security. For example, generate a report that lists devices with weak authentication credentials.
+
+- **Visibility**: Generate a report that covers all query items to view all baseline parameters of your network.
+
+## Data mining storage
+
+Data mining information is saved and stored continuously, except for when a device is deleted. Data mining results can be exported and stored externally to a secure server. In addition, the sensor performs automatic daily backups to ensure system continuity and preservation of data.
++
+## Predefined data mining queries
+
+The following predefined queries are available. These queries are generated in real time.
+
+- **CVEs**: A list of devices detected with known vulnerabilities within the last 24 hours.
+
+- **Excluded CVEs**: A list of all the CVEs that were manually excluded. To achieve more accurate results in VA reports and attack vectors, you can customize the CVE list manually by including and excluding CVEs.
+
+- **Internet activity**: Devices that are connected to the internet.
+
+- **Nonactive devices**: Devices that have not communicated for the past seven days.
+
+- **Active devices**: Active network devices within the last 24 hours.
+
+- **Remote access**: Devices that communicate through remote session protocols.
+
+- **Programming commands**: Devices that send industrial programming.
+
+These reports are automatically accessible from the **Reports** screen, where RO users and other users can view them. RO users can't access data-mining reports.
+
+:::image type="content" source="media/how-to-generate-reports/data-mining-screeshot-v2.png" alt-text="The data mining screen.":::
+
+## Create a data mining query
+
+To create a data-mining report:
+
+1. Select **Data Mining** from the side menu. Predefined suggested reports appear automatically.
+
+ :::image type="content" source="media/how-to-generate-reports/data-mining-screeshot-v2.png" alt-text="Select data mining from side pane.":::
+
+2. Select :::image type="icon" source="media/how-to-generate-reports/plus-icon.png" border="false":::.
+
+3. Select **New Report** and define the report.
+
+ :::image type="content" source="media/how-to-generate-reports/create-new-report-screen.png" alt-text="Create a new report by filling out this screen.":::
+
+ The following parameters are available:
+
+ - Provide a report name and description.
+
+ - For categories, select either:
+
+ - **Categories (All)** to view all report results about all devices in your network.
+
+ - **Generic** to choose standard categories.
+
+ - Select specific report parameters of interest to you.
+
+ - Choose a sort order (**Order by**). Sort results based on activity or category.
+
+ - Select **Save to Report Pages** to save the report results as a report that's accessible from the **Report** page. This will enable RO users to run the report that you created.
+
+ - Select **Filters (Add)** to add more filters. Wildcard requests are supported.
+
+ - Specify a device group (defined in the device map).
+
+ - Specify an IP address.
+
+ - Specify a port.
+
+ - Specify a MAC address.
+
+4. Select **Save**. Report results open on the **Data Mining** page.
+
+:::image type="content" source="media/how-to-generate-reports/data-mining-page.png" alt-text="Report results as seen on the Data Mining page.":::
+
+### Manage data-mining reports
+
+The following table describes management options for data mining:
+
+| Icon image | Description |
+|--|--|
+| :::image type="icon" source="media/how-to-generate-reports/edit-a-simulation-icon.png" border="false"::: | Edit the report parameters. |
+| :::image type="icon" source="media/how-to-generate-reports/export-as-pdf-icon.png" border="false"::: | Export as PDF. |
+| :::image type="icon" source="media/how-to-generate-reports/csv-export-icon.png" border="false"::: |Export as CSV. |
+| :::image type="icon" source="media/how-to-generate-reports/information-icon.png" border="false"::: | Show additional information such as the date last modified. Use this feature to create a query result snapshot. You might need to do this for further investigation with team leaders or SOC analysts, for example. |
+| :::image type="icon" source="media/how-to-generate-reports/pin-icon.png" border="false"::: | Display on the **Reports** page or hide on the **Reports** page. :::image type="content" source="media/how-to-generate-reports/hide-reports-page.png" alt-text="Hide or reveal your reports."::: |
+| :::image type="icon" source="media/how-to-generate-reports/delete-simulation-icon.png" border="false"::: | Delete the report. |
+
+#### Create customized directories
+
+You can organize the extensive information for data-mining queries by creating directories for categories. For example, you can create directories for protocols or locations.
+
+To create a new directory:
+
+1. Select :::image type="icon" source="media/how-to-generate-reports/plus-icon.png" border="false"::: to add a new directory.
+
+2. Select **New Directory** to display the new directory form.
+
+3. Name the new directory.
+
+4. Drag the required reports into the new directory. At any time, you can drag the report back to the main view.
+
+5. Right-click the new directory to open, edit, or delete it.
+
+#### Create snapshots of report results
+
+You might need to save certain query results for further investigation. For example, you might need to share results with various security teams.
+
+Snapshots are saved within the report results and don't generate dynamic queries.
+
+:::image type="content" source="media/how-to-generate-reports/report-results-report.png" alt-text="Snapshots.":::
+
+To create a snapshot:
+
+1. Open the required report.
+
+2. Select the information icon :::image type="icon" source="media/how-to-generate-reports/information-icon.png" border="false":::.
+
+3. Select **Take New**.
+
+4. Enter a name for the snapshot and select **Save**.
+
+:::image type="content" source="media/how-to-generate-reports/take-a-snapshot.png" alt-text="Take a snapshot.":::
+
+#### Customize the CVE list
+
+You can manually customize the CVE list as follows:
+
+ - Include/exclude CVEs
+
+ - Change the CVE score
+
+To perform manual changes in the CVE report:
+
+1. From the side menu, select **Data Mining**.
+
+2. Select :::image type="icon" source="media/how-to-generate-reports/plus-icon.png" border="false"::: in the upper-left corner of the **Data Mining** window. Then select **New Report**.
+
+ :::image type="content" source="media/how-to-generate-reports/create-a-new-report-screen.png" alt-text="Create a new report.":::
+
+3. From the left pane, select one of the following options:
+
+ - **Known Vulnerabilities**: Selects both options and presents results in the report's two tables, one with CVEs and the other with excluded CVEs.
+
+ - **CVEs**: Select this option to present a list of all the CVEs.
+
+ - **Excluded CVEs**: Select this option to presents a list of all the excluded CVEs.
+
+4. Fill in the **Name** and **Description** information and select **Save**. The new report appears in the **Data Mining** window.
+
+5. To exclude CVEs, open the data-mining report for CVEs. The list of all the CVEs appears.
+
+ :::image type="content" source="media/how-to-generate-reports/cves.png" alt-text="C V E report.":::
+
+6. To enable selecting items in the list, select :::image type="icon" source="media/how-to-generate-reports/enable-selecting-icon.png" border="false"::: and select the CVEs that you want to customize. The **Operations** bar appears on the bottom.
+
+ :::image type="content" source="media/how-to-generate-reports/operations-bar-appears.png" alt-text="Screenshot of the data-mining Operations bar.":::
+
+7. Select the CVEs that you want to exclude, and then select **Delete Records**. The CVEs that you've selected don't appear in the list of CVEs and will appear in the list of excluded CVEs when you generate one.
+
+8. To include the excluded CVEs in the list of CVEs, generate the report for excluded CVEs and delete from that list the items that you want to include back in the list of CVEs.
+
+9. Select the CVEs in which you want to change the score, and then select **Update CVE Score**.
+
+ :::image type="content" source="media/how-to-generate-reports/set-new-score-screen.png" alt-text="Update the CVE score.":::
+
+10. Enter the new score and select **OK**. The updated score appears in the CVEs that you selected.
+++
+## Sensor reports based on data mining
+
+Regular reports, accessed from the **Reports** option, are predefined data mining reports. They're not dynamic queries as are available in data mining, but a static representation of the data mining query results.
+
+Data mining query results are not available to Read Only users. Administrators and security analysts who want Read Only users to have access to the information generated by data mining queries should save the information as report.
+
+Reports reflect information generated by data mining query results. This includes default data mining reports, which are available in the Reports view. Administrator and security analysts can also generate custom data mining queries, and save them as reports. These reports are available for RO users as well.
+
+To generate a report:
+
+1. Select **Reports** on the side menu.
+
+2. Choose the required report to display. The choice can be **Custom** or **Auto-Generated** reports, such as **Programming Commands** and **Remote Access**.
+
+3. You can export the report by selecting one of the icons on the upper right of the screen:
+
+ :::image type="icon" source="media/how-to-generate-reports/export-to-pdf-icon.png" border="false"::: Export to a PDF file.
+
+ :::image type="icon" source="media/how-to-generate-reports/export-to-csv-icon.png" border="false"::: Export to a CSV file.
+
+> [!NOTE]
+> The RO user can see only reports created for them.
+
+:::image type="content" source="media/how-to-generate-reports/select-a-report-screen.png" alt-text="Select the report to generate.":::
+
+:::image type="content" source="media/how-to-generate-reports/remote-access-report.png" alt-text="Remote access report generated.":::
+
+## On-premises management console reports based on data mining reports
+
+The on-premises management console lets you generate reports for each sensor that's connected to it. Reports are based on sensor data-mining queries that are performed.
+
+You can generate the following reports:
+
+- **Active Devices (Last 24 Hours)**: Presents a list of devices that show network activity within a period of 24 hours.
+
+- **Non-Active Devices (Last 7 Days)**: Presents a list of devices that show no network activity in the last seven days.
+
+- **Programming Commands**: Presents a list of devices that sent programming commands within the last 24 hours.
+
+- **Remote Access**: Presents a list of devices that remote sources accessed within the last 24 hours.
+
+:::image type="content" source="media/how-to-generate-reports/reports-view.png" alt-text="Screenshot of the reports view.":::
+
+When you choose the sensor from the on-premises management console, all the custom reports configured on that sensor appear in the list of reports. For each sensor, you can generate a default report or a custom report configured on that sensor.
+
+To generate a report:
+
+1. On the left pane, select **Reports**. The **Reports** window appears.
+
+2. From the **Sensors** drop-down list, select the sensor for which you want to generate the report.
+
+ :::image type="content" source="media/how-to-generate-reports/sensor-drop-down-list.png" alt-text="Screenshot of sensors view.":::
+
+3. From the right drop-down list, select the report that you want to generate.
+
+4. To create a PDF of the report results, select :::image type="icon" source="media/how-to-generate-reports/pdf-report-icon.png" border="false":::.
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/how-to-create-risk-assessment-reports https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/how-to-create-risk-assessment-reports.md new file mode 100644 /dev/null
@@ -0,0 +1,104 @@
+
+ Title: Create risk assessment reports
+description: Gain insight into network risks detected by individual sensors or an aggregate view of risks detected by all sensors.
+++ Last updated : 12/17/2020++++
+# Risk assessment reporting
+
+## About risk assessment reports
+
+Risk assessment reports provide:
+
+- An overall security score for the devices detected by organizational sensors.
+
+- A security score for each network device detected by an individual sensor.
+
+- A breakdown of the number of vulnerable devices, devices that need improvement and secure devices.
+
+- Insight into security and operational issues:
+
+ - Configuration issues
+
+ - Device vulnerability prioritized by security level
+
+ - Network security issues
+
+ - Network operational issues
+
+ - Connections to ICS networks
+
+ - Internet connections
+
+ - Industrial malware indicators
+
+ - Protocol issues
+
+ - Attack vectors
+
+### Risk mitigation
+
+Reports provide recommendations to help you improve your security score. For example, install the latest security updates, upgrade firmware to the latest version or follow up on alerts.
+
+## About security scores
+
+Overall network security score is generated in each report. The score represents the percentage of 100 percent security. For example, a score of 30% would indicate that your network 30% secure.
+
+Risk Assessment scores are based on information learned from packet inspection, behavioral modeling engines, and a SCADA-specific state machine design.
+
+**Secure Devices** are devices with a security score above 90 %.
+
+**Devices Needing Improvement**: Devices with a security score between 70 percent and 89 %.
+
+**Vulnerable Devices** are devices with a security score below 70 %.
+
+## Create risk assessment reports
+
+Create a PDF risk assessment report. The report name is automatically generated as risk-assessment-report-1.pdf. The number is updated for each new report you create. The time and day of creation are displayed.
+
+### Create a sensor risk assessment report
+
+Create a risk assessment report based on detections made by the sensor you are logged into.
+
+To create a report:
+
+1. Login to the sensor console.
+1. Select **Risk Assessment** on the side menu.
+1. Select **Generate Report**. The report appears in the Archived Reports section.
+1. Select the report from the Archived Reports section to download it.
+
+:::image type="content" source="media/how-to-generate-reports/risk-assessment.png" alt-text="A view of the risk assessment.":::
+
+To import a company logo:
+
+- Select **Import Logo**.
+
+### Create an on-premises management console risk assessment report
+
+Create a risk assessment report based on detections made by the any of the sensors managed by your on-premises management console.
+
+To create a report:
+
+1. Select **Risk Assessment** on the side menu.
+
+2. Select a sensor from the **Select sensor** drop-down list.
+
+3. Select **Generate Report**.
+
+4. Select **Download** from the **Archived Reports** section.
+
+To import a company logo:
+
+- Select **Import Logo**.
+
+:::image type="content" source="media/how-to-generate-reports/import-logo-screenshot.png" alt-text="Import your logo through the risk assessment view.":::
+
+## See also
+
+[Attack vector reporting](how-to-create-attack-vector-reports.md)
+
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/how-to-create-trends-and-statistics-reports https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/how-to-create-trends-and-statistics-reports.md new file mode 100644 /dev/null
@@ -0,0 +1,76 @@
+
+ Title: Generate trends and statistics reports
+description: Gain insight into network activity, statistics and trends by using Defender for IoT Trends and Statistics widgets.
+++ Last updated : 01/24/2021++++
+# Sensor trends and statistics reports
+
+## About sensor trends and statistics reports
+
+You can create widget graphs and pie charts to gain insight into network trends and statistics. Widgets can be grouped under user-defined dashboards.
+
+> [!NOTE]
+> Administrator and security analysts can create Trends and Statistics reports.
+
+The dashboard consists of widgets that graphically describe the following types of information:
+
+- Traffic by port
+- Channel bandwidth
+- Total bandwidth
+- Active TCP connection
+- Devices:
+ - New devices
+ - Busy devices
+ - Devices by vendor
+ - Devices by OS
+ - Disconnected devices
+- Connectivity drop by hours
+- Alerts for incidents by type
+- Database table access
+- Protocol dissection widgets
+- Ethernet and IP address:
+ - Ethernet and IP address traffic by CIP service
+ - Ethernet and IP address traffic by CIP class
+ - Ethernet and IP address traffic by command
+- OPC:
+ - OPC top management operations
+ - OPC top I/O operations
+- Siemens S7:
+ - S7 traffic by control function
+ - S7 traffic by subfunction
+- SRTP:
+ - SRTP traffic by service code
+ - SRTP errors by day
+- SuiteLink:
+ - SuiteLink top queried tags
+ - SuiteLink numeric tag behavior
+- IEC-60870 traffic by ASDU
+- DNP3 traffic by function
+- MMS traffic by service
+- Modbus traffic by function
+- OPC-UA traffic by service
+
+> [!NOTE]
+> The time in the widgets is set according to the sensor time.
+
+## Create reports
+
+To see dashboards and widgets:
+
+Select **Trends & Statistics** on the side menu.
+
+:::image type="content" source="media/how-to-generate-reports/investigation-screenshot.png" alt-text="Screenshot of an investigation.":::
+
+By default, results are displayed for detections over the last 7 days. You can use filter tools change this range. For example a free text search.
+
+## See also
+
+[Risk assessment reporting](how-to-create-risk-assessment-reports.md)
+[Sensor data mining queries](how-to-create-data-mining-queries.md)
+[Attack vector reporting](how-to-create-attack-vector-reports.md)
\ No newline at end of file
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/how-to-enhance-port-and-vlan-name-resolution https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/how-to-enhance-port-and-vlan-name-resolution.md a/articles/defender-for-iot/how-to-enhance-port-and-vlan-name-resolution.md
@@ -79,7 +79,8 @@ To configure VLANs:
## Next steps
-View enriched device information in the reports for device inventory and data mining:
+View enriched device information in various reports:
- [Investigate sensor detections in a device inventory](how-to-investigate-sensor-detections-in-a-device-inventory.md)-- [Generate reports](how-to-generate-reports.md)
+- [Sensor trends and statistics reports](how-to-create-trends-and-statistics-reports.md)
+- [Sensor data mining queries](how-to-create-data-mining-queries.md)
defender-for-iot https://docs.microsoft.com/en-us/azure/defender-for-iot/how-to-manage-the-alert-event https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/defender-for-iot/how-to-manage-the-alert-event.md a/articles/defender-for-iot/how-to-manage-the-alert-event.md
@@ -103,6 +103,4 @@ When an event is muted, it's ignored any time the source sends an HTTP header wi
## See also
-[Generate reports](how-to-generate-reports.md)
- [Control what traffic is monitored](how-to-control-what-traffic-is-monitored.md)
digital-twins https://docs.microsoft.com/en-us/azure/digital-twins/how-to-authenticate-client https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-authenticate-client.md a/articles/digital-twins/how-to-authenticate-client.md
@@ -19,7 +19,7 @@
After you [set up an Azure Digital Twins instance and authentication](how-to-set-up-instance-portal.md), you can create a client application that you will use to interact with the instance. Once you have set up a starter client project, you'll need to **write code in that client app to authenticate it** against the Azure Digital Twins instance.
-Azure Digital Twins performs authentication using [Azure AD Security Tokens based on OAUTH 2.0](../active-directory/develop/security-tokens.md#json-web-tokens-jwts-and-claims). To authenticate your SDK, you'll need to get a bearer token with the right permissions to Azure Digital Twins, and pass it along with your API calls.
+Azure Digital Twins performs authentication using [Azure AD Security Tokens based on OAUTH 2.0](../active-directory/develop/security-tokens.md#json-web-tokens-and-claims). To authenticate your SDK, you'll need to get a bearer token with the right permissions to Azure Digital Twins, and pass it along with your API calls.
This article describes how to obtain credentials using the `Azure.Identity` client library. While this article shows code examples in C#, such as what you'd write for the [.NET (C#) SDK](/dotnet/api/overview/azure/digitaltwins/client?view=azure-dotnet&preserve-view=true), you can use a version of `Azure.Identity` regardless of what SDK you're using (for more on the SDKs available for Azure Digital Twins, see [*How-to: Use the Azure Digital Twins APIs and SDKs*](how-to-use-apis-sdks.md)).
digital-twins https://docs.microsoft.com/en-us/azure/digital-twins/how-to-manage-routes-apis-cli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-manage-routes-apis-cli.md a/articles/digital-twins/how-to-manage-routes-apis-cli.md
@@ -43,7 +43,9 @@ These are the supported types of endpoints that you can create for your instance
For more information on the different endpoint types, see [*Choose between Azure messaging services*](../event-grid/compare-messaging-services.md).
-To link an endpoint to Azure Digital Twins, the event grid topic, event hub, or Service Bus that you're using for the endpoint needs to exist already.
+This section explains how to create one of these endpoints using the Azure CLI.
+
+[!INCLUDE [digital-twins-endpoint-resources.md](../../includes/digital-twins-endpoint-resources.md)]
### Create an Event Grid endpoint
digital-twins https://docs.microsoft.com/en-us/azure/digital-twins/how-to-manage-routes-portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-manage-routes-portal.md a/articles/digital-twins/how-to-manage-routes-portal.md
@@ -34,11 +34,11 @@ Alternatively, you can also manage endpoints and routes with the [Event Routes A
You can find these details in the [Azure portal](https://portal.azure.com) after setting up your instance. Log into the portal and search for the name of your instance in the portal search bar.
-:::image type="content" source="media/how-to-manage-routes-portal/search-field-portal.png" alt-text="Screenshot of Azure portal search bar.":::
+:::image type="content" source="media/how-to-manage-routes-portal/search-field-portal.png" alt-text="Screenshot of Azure portal search bar." lightbox="media/how-to-manage-routes-portal/search-field-portal.png":::
-Select your instance from the results to see the details page for your instance:
+Select your instance from the results to see these details in the Overview for your instance:
-:::image type="content" source="media/how-to-manage-routes-portal/instance-details.png" alt-text="Screenshot of ADT instance details." border="false":::
+:::image type="content" source="media/how-to-manage-routes-portal/instance-details.png" alt-text="Screenshot of the Overview page for an Azure Digital Twins instance. The name and resource group are highlighted.":::
## Create an endpoint for Azure Digital Twins
@@ -49,75 +49,39 @@ These are the supported types of endpoints that you can create for your instance
For more information on the different endpoint types, see [*Choose between Azure messaging services*](../event-grid/compare-messaging-services.md).
-To link an endpoint to Azure Digital Twins, the event grid topic, event hub, or Service Bus that you're using for the endpoint needs to exist already.
+This section explains how to create one of these endpoints in the [Azure portal](https://portal.azure.com).
-### Create an Event Grid endpoint
+[!INCLUDE [digital-twins-endpoint-resources.md](../../includes/digital-twins-endpoint-resources.md)]
-**Prerequisite**: Create an event grid topic by following the steps in [the *Create a custom topic* section](../event-grid/custom-event-quickstart-portal.md#create-a-custom-topic) of the Event Grid *Custom events* quickstart.
+### Create the endpoint
-Once you have created the topic, you can link it to Azure Digital Twins from your Azure Digital Twins instance's page in the [Azure portal](https://portal.azure.com) (you can find the instance by entering its name into the portal search bar).
+Once you have created the endpoint resources, you can use them for an Azure Digital Twins endpoint. To create a new endpoint, go to your instance's page in the [Azure portal](https://portal.azure.com) (you can find the instance by entering its name into the portal search bar).
-From the instance menu, select _Endpoints_. Then from the *Endpoints* page that follows, select *+ Create an endpoint*.
+1. From the instance menu, select _Endpoints_. Then from the *Endpoints* page that follows, select *+ Create an endpoint*.
-On the *Create an Endpoint* page that opens up, you can create an endpoint of type _Event Grid_ by selecting the corresponding radio button. Complete the other details: enter a name for your endpoint in the _Name_ field, choose your _Subscription_ from the dropdown, and choose your pre-created _Event Grid Topic_ from the third dropdown.
+1. On the *Create an Endpoint* page that opens up, enter a **Name** for your endpoint and choose the **Endpoint type**.
-Then, create your endpoint by hitting _Save_.
+1. Complete the other details that are required for your endpoint type, including your subscription and the endpoint resources described [above](#prerequisite-create-endpoint-resources).
-:::image type="content" source="media/how-to-manage-routes-portal/create-endpoint-event-grid.png" alt-text="Screenshot of creating an endpoint of type Event Grid.":::
+ :::image type="content" source="media/how-to-manage-routes-portal/create-endpoint-event-hub.png" alt-text="Screenshot of creating an endpoint of type Event Hub." lightbox="media/how-to-manage-routes-portal/create-endpoint-event-hub.png":::
-You can verify that the endpoint is successfully created by checking the notification icon in the top Azure portal bar:
-
-:::image type="content" source="media/how-to-manage-routes-portal/create-endpoint-notifications.png" alt-text="Screenshot of notification to verify the creation of endpoint." border="false":::
-
-You can also view the endpoint that was created back on the *Endpoints* page for your Azure Digital Twins instance.
-
-If the endpoint creation fails, observe the error message and retry after a few minutes.
-
-Now, the event grid topic is available as an endpoint inside of Azure Digital Twins, under the name specified in the _Name_ field. You will typically use that name as the target of an **event route**, which you'll create [later in this article](#create-an-event-route).
-
-### Create an Event Hubs endpoint
+1. Finish creating your endpoint by selecting the _Save_ button.
-**Prerequisites**:
-* You'll need an _Event Hubs namespace_ and an _event hub_. Create both of these by following the steps in the Event Hubs [*Create an event hub*](../event-hubs/event-hubs-create.md) quickstart.
-* You'll need an _authorization rule_. To create this, refer to the Event Hubs [*Authorizing access to Event Hubs resources using Shared Access Signatures*](../event-hubs/authorize-access-shared-access-signature.md) article.
-
-Go to the details page for your Azure Digital Twins instance in the [Azure portal](https://portal.azure.com) (you can find it by entering its name into the portal search bar).
-
-From the instance menu, select _Endpoints_. Then from the *Endpoints* page that follows, select *+ Create an endpoint*.
-
-On the *Create an Endpoint* page that opens up, you can create an endpoint of type _Event Hub_ by selecting the corresponding radio button. Enter a name for your endpoint in the _Name_ field. Then select your _Subscription_, and your pre-created _Event hub namespace_, _Event Hub_, and _Authorization rule_ from the respective dropdowns.
-
-Then, create your endpoint by hitting _Save_.
-
-:::image type="content" source="media/how-to-manage-routes-portal/create-endpoint-event-hub.png" alt-text="Screenshot of creating an endpoint of type Event Hubs.":::
+You can verify that the endpoint is successfully created by checking the notification icon in the top Azure portal bar:
-You can verify that the endpoint is successfully created by checking the notification icon in the top Azure portal bar.
+:::row:::
+ :::column:::
+ :::image type="content" source="media/how-to-manage-routes-portal/create-endpoint-notifications.png" alt-text="Screenshot of notification to verify the creation of endpoint. The bell-shaped icon from the portal's top bar is selected, and there is a notification saying 'Endpoint ADT-eh-endpoint successfully created'.":::
+ :::column-end:::
+ :::column:::
+ :::column-end:::
+:::row-end:::
If the endpoint creation fails, observe the error message and retry after a few minutes.
-Now, the Event hub is available as an endpoint inside of Azure Digital Twins, under the name specified in the _Name_ field. You will typically use that name as the target of an **event route**, which you'll create [later in this article](#create-an-event-route).
-
-### Create a Service Bus endpoint
-
-**Prerequisites**:
-* You'll need a _Service Bus namespace_ and a _Service Bus topic_. Create both of these by following the steps in the Service Bus [*Create topics and subscriptions*](../service-bus-messaging/service-bus-quickstart-topics-subscriptions-portal.md) quickstart. You do not need to complete the [*Create subscriptions to the topic*](../service-bus-messaging/service-bus-quickstart-topics-subscriptions-portal.md#create-subscriptions-to-the-topic) section.
-* You'll need an _Authorization rule_. To create this, refer to the Service Bus [*Authentication and authorization*](../service-bus-messaging/service-bus-authentication-and-authorization.md#shared-access-signature) article.
-
-Go to the details page for your Azure Digital Twins instance in the [Azure portal](https://portal.azure.com) (you can find it by entering its name into the portal search bar).
-
-From the instance menu, select _Endpoints_. Then from the *Endpoints* page that follows, select *+ Create an endpoint*.
-
-On the *Create an Endpoint* page that opens up, you can create an endpoint of type _Service Bus_ by selecting the corresponding radio button. Enter a name for your endpoint in the _Name_ field. Then select your _Subscription_, and your pre-created _Service Bus namespace_, _Service Bus topic_, and _Authorization rule_ from the respective dropdowns.
-
-Then, create your endpoint by hitting _Save_.
-
-:::image type="content" source="media/how-to-manage-routes-portal/create-endpoint-service-bus.png" alt-text="Screenshot of creating an endpoint of type Service Bus.":::
-
-You can verify that the endpoint is successfully created by checking the notification icon in the top Azure portal bar.
-
-If the endpoint creation fails, observe the error message and retry after a few minutes.
+You can also view the endpoint that was created back on the *Endpoints* page for your Azure Digital Twins instance.
-Now, the Service Bus topic is available as an endpoint inside of Azure Digital Twins, under the name specified in the _Name_ field. You will typically use that name as the target of an **event route**, which you'll create [later in this article](#create-an-event-route).
+Now the Event Grid, Event Hub, or Service Bus is available as an endpoint inside of Azure Digital Twins, under the name you chose for the endpoint. You will typically use that name as the target of an **event route**, which you'll create [later in this article](#create-an-event-route).
### Create an endpoint with dead-lettering
digital-twins https://docs.microsoft.com/en-us/azure/digital-twins/how-to-set-up-instance-portal https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/digital-twins/how-to-set-up-instance-portal.md a/articles/digital-twins/how-to-set-up-instance-portal.md
@@ -73,13 +73,13 @@ You now have an Azure Digital Twins instance ready to go. Next, you'll give the
[!INCLUDE [digital-twins-setup-role-assignment.md](../../includes/digital-twins-setup-role-assignment.md)]
-First, open the page for your Azure Digital Twins instance in the Azure portal. From the instance's menu, select *Access control (IAM)*. Select the *Add* button under *Add a role assignment*.
+First, open the page for your Azure Digital Twins instance in the Azure portal. From the instance's menu, select *Access control (IAM)*. Select the **+ Add** button to add a new role assignment.
:::image type="content" source="media/how-to-set-up-instance/portal/add-role-assignment-1.png" alt-text="Selecting to add a role assignment from the 'Access control (IAM)' page"::: On the following *Add role assignment* page, fill in the values (must be completed by a user with [sufficient permissions](#prerequisites-permission-requirements) in the Azure subscription): * **Role**: Select *Azure Digital Twins Data Owner* from the dropdown menu
-* **Assign access to**: Select *Azure AD user, group or service principal* from the dropdown menu
+* **Assign access to**: Use *User, group or service principal*
* **Select**: Search for the name or email address of the user to assign. When you select the result, the user will show up in a *Selected members* section. :::row:::
event-grid https://docs.microsoft.com/en-us/azure/event-grid/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-grid/policy-reference.md a/articles/event-grid/policy-reference.md
@@ -1,7 +1,7 @@
Title: Built-in policy definitions for Azure Event Grid description: Lists Azure Policy built-in policy definitions for Azure Event Grid. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
event-grid https://docs.microsoft.com/en-us/azure/event-grid/resize-images-on-storage-blob-upload-event https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-grid/resize-images-on-storage-blob-upload-event.md a/articles/event-grid/resize-images-on-storage-blob-upload-event.md
@@ -278,7 +278,7 @@ An event subscription indicates which provider-generated events you want sent to
1. Switch to the **Filters** tab, and do the following actions: 1. Select **Enable subject filtering** option.
- 1. For **Subject begins with**, enter the following value : **/blobServices/default/containers/images/blobs/**.
+ 1. For **Subject begins with**, enter the following value : **/blobServices/default/containers/images/**.
![Specify filter for the event subscription](./media/resize-images-on-storage-blob-upload-event/event-subscription-filter.png)
event-hubs https://docs.microsoft.com/en-us/azure/event-hubs/authenticate-managed-identity https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-hubs/authenticate-managed-identity.md a/articles/event-hubs/authenticate-managed-identity.md
@@ -2,7 +2,7 @@
Title: Authentication a managed identity with Azure Active Directory description: This article provides information about authenticating a managed identity with Azure Active Directory to access Azure Event Hubs resources Previously updated : 06/23/2020 Last updated : 01/25/2021 # Authenticate a managed identity with Azure Active Directory to access Event Hubs Resources
@@ -35,11 +35,12 @@ Once the application is created, follow these steps:
1. Select the **Status** to be **On**. 1. Select **Save** to save the setting.
- ![Managed identity for a web app](./media/authenticate-managed-identity/identity-web-app.png)
+ :::image type="content" source="./media/authenticate-managed-identity/identity-web-app.png" alt-text="Managed identity for a web app":::
+4. Select **Yes** on the information message.
-Once you've enabled this setting, a new service identity is created in your Azure Active Directory (Azure AD) and configured into the App Service host.
+ Once you've enabled this setting, a new service identity is created in your Azure Active Directory (Azure AD) and configured into the App Service host.
-Now, assign this service identity to a role in the required scope in your Event Hubs resources.
+ Now, assign this service identity to a role in the required scope in your Event Hubs resources.
### To Assign Azure roles using the Azure portal To assign a role to Event Hubs resources, navigate to that resource in the Azure portal. Display the Access Control (IAM) settings for the resource, and follow these instructions to manage role assignments:
@@ -50,15 +51,20 @@ To assign a role to Event Hubs resources, navigate to that resource in the Azure
1. In the Azure portal, navigate to your Event Hubs namespace and display the **Overview** for the namespace. 1. Select **Access Control (IAM)** on the left menu to display access control settings for the event hub. 1. Select the **Role assignments** tab to see the list of role assignments.
-3. Select **Add** to add a new role.
-4. On the **Add role assignment** page, select the Event Hubs roles that you want to assign. Then search to locate the service identity you had registered to assign the role.
+3. Select **Add**, and then select **Add role assignment***.
+4. On the **Add role assignment** page, follow these steps:
+ 1. For **Role**, select the Event Hubs role that you want to assign. In this example, it's **Azure Event Hubs Data Owner**.
+ 1. For the **Assign access to** field, select **App Service** under **System assigned managed identity**.
+ 1. Select the **subscription** in which the managed identity for the web app was created.
+ 1. Select the **managed identity** for the web app you created. The default name for the identity is same as the name of the web app.
+ 1. Then, select **Save**.
- ![Add role assignment page](./media/authenticate-managed-identity/add-role-assignment-page.png)
-5. Select **Save**. The identity to whom you assigned the role appears listed under that role. For example, the following image shows that service identity has Event Hubs Data owner.
-
- ![Identity assigned to a role](./media/authenticate-managed-identity/role-assigned.png)
+ ![Add role assignment page](./media/authenticate-managed-identity/add-role-assignment-page.png)
+
+ Once you've assigned the role, the web application will have access to the Event Hubs resources under the defined scope.
-Once you've assigned the role, the web application will have access to the Event Hubs resources under the defined scope.
+ > [!NOTE]
+ > For a list of services that support managed identities, see [Services that support managed identities for Azure resources](../active-directory/managed-identities-azure-resources/services-support-managed-identities.md).
### Test the web application 1. Create an Event Hubs namespace and an event hub.
event-hubs https://docs.microsoft.com/en-us/azure/event-hubs/event-hubs-availability-and-consistency https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-hubs/event-hubs-availability-and-consistency.md a/articles/event-hubs/event-hubs-availability-and-consistency.md
@@ -7,40 +7,28 @@
# Availability and consistency in Event Hubs
+This article provides information about availability and consistency supported by Azure Event Hubs.
-## Overview
-Azure Event Hubs uses a [partitioning model](event-hubs-scalability.md#partitions) to improve availability and parallelization within a single event hub. For example, if an event hub has four partitions, and one of those partitions is moved from one server to another in a load balancing operation, you can still send and receive from three other partitions. Additionally, having more partitions enables you to have more concurrent readers processing your data, improving your aggregate throughput. Understanding the implications of partitioning and ordering in a distributed system is a critical aspect of solution design.
-
-To help explain the trade-off between ordering and availability, see the [CAP theorem](https://en.wikipedia.org/wiki/CAP_theorem), also known as Brewer's theorem. This theorem discusses the choice between consistency, availability, and partition tolerance. It states that for the systems partitioned by network there is always tradeoff between consistency and availability.
-
-Brewer's theorem defines consistency and availability as follows:
-* Partition tolerance: the ability of a data processing system to continue processing data even if a partition failure occurs.
-* Availability: a non-failing node returns a reasonable response within a reasonable amount of time (with no errors or timeouts).
-* Consistency: a read is guaranteed to return the most recent write for a given client.
+## Availability
+Azure Event Hubs spreads the risk of catastrophic failures of individual machines or even complete racks across clusters that span multiple failure domains within a datacenter. It implements transparent failure detection and failover mechanisms such that the service will continue to operate within the assured service-levels and typically without noticeable interruptions when such failures occur. If an Event Hubs namespace has been created with the enabled option for [availability zones](../availability-zones/az-overview.md), the outage risk is further spread across three physically separated facilities, and the service has enough capacity reserves to instantly cope with the complete, catastrophic loss of the entire facility. For more information, see [Azure Event Hubs - Geo-disaster recovery](event-hubs-geo-dr.md).
-> [!NOTE]
-> The term **partition** is used in different contexts in Event Hubs and CAP theorem.
-> - **Event Hubs** organizes events into one or more partitions. Partitions are independent and contain their own sequence of data, they often grow at different rates. For more information, see [Partitions](event-hubs-features.md#partitions).
-> - In **CAP theorem**, a partition is a communications break between nodes in a distributed system.
+When a client application sends events to an event hub, events are automatically distributed among partitions in your event hub. If a partition isn't available for some reason, events are distributed among the remaining partitions. This behavior allows for the greatest amount of up time. For use cases that require the maximum up time, this model is preferred instead of sending events to a specific partition. For more information, see [Partitions](event-hubs-scalability.md#partitions).
-## Partition tolerance
-Event Hubs is built on top of a partitioned data model. You can configure the number of partitions in your event hub during setup, but you cannot change this value later. Since you must use partitions with Event Hubs, you have to make a decision about availability and consistency for your application.
+## Consistency
+In some scenarios, the ordering of events can be important. For example, you may want your back-end system to process an update command before a delete command. In this scenario, a client application sends events to a specific partition so that the ordering is preserved. When a consumer application consumes these events from the partition, they are read in order.
-## Availability
-The simplest way to get started with Event Hubs is to use the default behavior.
+With this configuration, keep in mind that if the particular partition to which you are sending is unavailable, you will receive an error response. As a point of comparison, if you don't have an affinity to a single partition, the Event Hubs service sends your event to the next available partition.
-#### [Azure.Messaging.EventHubs (5.0.0 or later)](#tab/latest)
-If you create a new **[EventHubProducerClient](/dotnet/api/azure.messaging.eventhubs.producer.eventhubproducerclient)** object and use the **[SendAsync](/dotnet/api/azure.messaging.eventhubs.producer.eventhubproducerclient.sendasync)** method, your events are automatically distributed between partitions in your event hub. This behavior allows for the greatest amount of up time.
+One possible solution to ensure ordering, while also maximizing up time, would be to aggregate events as part of your event processing application. The easiest way to accomplish it is to stamp your event with a custom sequence number property.
-#### [Microsoft.Azure.EventHubs (4.1.0 or earlier)](#tab/old)
-If you create a new **[EventHubClient](/dotnet/api/microsoft.azure.eventhubs.eventhubclient)** object and use the **[Send](/dotnet/api/microsoft.azure.eventhubs.eventhubclient.sendasync#Microsoft_Azure_EventHubs_EventHubClient_SendAsync_Microsoft_Azure_EventHubs_EventData_)** method, your events are automatically distributed between partitions in your event hub. This behavior allows for the greatest amount of up time.
+In this scenario, producer client sends events to one of the available partitions in your event hub, and sets the corresponding sequence number from your application. This solution requires state to be kept by your processing application, but gives your senders an endpoint that is more likely to be available.
-
+## Appendix
-For use cases that require the maximum up time, this model is preferred.
+### .NET examples
-## Consistency
-In some scenarios, the ordering of events can be important. For example, you may want your back-end system to process an update command before a delete command. In this instance, you can either set the partition key on an event, or use a `PartitionSender` object (if you are using the old Microsoft.Azure.Messaging library) to only send events to a certain partition. Doing so ensures that when these events are read from the partition, they are read in order.
+#### Send events to a specific partition
+Either set the partition key on an event, or use a `PartitionSender` object (if you are using the old Microsoft.Azure.Messaging library) to only send events to a certain partition. Doing so ensures that when these events are read from the partition, they are read in order.
If you are using the newer **Azure.Messaging.EventHubs** library, see [Migrating code from PartitionSender to EventHubProducerClient for publishing events to a partition](https://github.com/Azure/azure-sdk-for-net/blob/master/sdk/eventhub/Azure.Messaging.EventHubs/MigrationGuide.md#migrating-code-from-partitionsender-to-eventhubproducerclient-for-publishing-events-to-a-partition).
@@ -87,9 +75,8 @@ finally
-With this configuration, keep in mind that if the particular partition to which you are sending is unavailable, you will receive an error response. As a point of comparison, if you do not have an affinity to a single partition, the Event Hubs service sends your event to the next available partition.
-
-One possible solution to ensure ordering, while also maximizing up time, would be to aggregate events as part of your event processing application. The easiest way to accomplish this is to stamp your event with a custom sequence number property. The following code shows an example:
+### Set a sequence number
+The following example stamps your event with a custom sequence number property.
#### [Azure.Messaging.EventHubs (5.0.0 or later)](#tab/latest)
event-hubs https://docs.microsoft.com/en-us/azure/event-hubs/policy-reference https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-hubs/policy-reference.md a/articles/event-hubs/policy-reference.md
@@ -1,7 +1,7 @@
Title: Built-in policy definitions for Azure Event Hubs description: Lists Azure Policy built-in policy definitions for Azure Event Hubs. These built-in policy definitions provide common approaches to managing your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
event-hubs https://docs.microsoft.com/en-us/azure/event-hubs/security-controls-policy https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/event-hubs/security-controls-policy.md a/articles/event-hubs/security-controls-policy.md
@@ -1,7 +1,7 @@
Title: Azure Policy Regulatory Compliance controls for Azure Event Hubs description: Lists Azure Policy Regulatory Compliance controls available for Azure Event Hubs. These built-in policy definitions provide common approaches to managing the compliance of your Azure resources. Previously updated : 01/21/2021 Last updated : 01/25/2021
governance https://docs.microsoft.com/en-us/azure/governance/blueprints/create-blueprint-azurecli https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/blueprints/create-blueprint-azurecli.md a/articles/governance/blueprints/create-blueprint-azurecli.md
@@ -1,7 +1,7 @@
Title: "Quickstart: Create a blueprint with Azure CLI" description: In this quickstart, you use Azure Blueprints to create, define, and deploy artifacts using the Azure CLI. Previously updated : 10/14/2020 Last updated : 01/26/2021 # Quickstart: Define and Assign an Azure Blueprint with Azure CLI
@@ -14,8 +14,10 @@ organization, such as:
## Prerequisites
-If you don't have an Azure subscription, create a [free account](https://azure.microsoft.com/free)
-before you begin.
+- If you don't have an Azure subscription, create a
+ [free account](https://azure.microsoft.com/free) before you begin.
+- If you've not used Azure Blueprints before, register the resource provider through Azure CLI with
+ `az provider register --namespace Microsoft.Blueprint`.
[!INCLUDE [cloud-shell-try-it.md](../../../includes/cloud-shell-try-it.md)]
governance https://docs.microsoft.com/en-us/azure/governance/policy/samples/azure-security-benchmark https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/policy/samples/azure-security-benchmark.md a/articles/governance/policy/samples/azure-security-benchmark.md
@@ -1,219 +1,187 @@
Title: Regulatory Compliance details for Azure Security Benchmark v1
-description: Details of the Azure Security Benchmark v1 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment.
Previously updated : 01/21/2021
+ Title: Regulatory Compliance details for Azure Security Benchmark
+description: Details of the Azure Security Benchmark Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment.
Last updated : 01/25/2021
-# Details of the Azure Security Benchmark v1 Regulatory Compliance built-in initiative
+# Details of the Azure Security Benchmark Regulatory Compliance built-in initiative
The following article details how the Azure Policy Regulatory Compliance built-in initiative
-definition maps to **compliance domains** and **controls** in Azure Security Benchmark v1.
+definition maps to **compliance domains** and **controls** in Azure Security Benchmark.
For more information about this compliance standard, see
-[Azure Security Benchmark v1](../../../security/benchmarks/overview.md). To understand
+[Azure Security Benchmark](../../../security/benchmarks/overview.md). To understand
_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and [Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md).
-The following mappings are to the **Azure Security Benchmark v1** controls. Use the
+The following mappings are to the **Azure Security Benchmark** controls. Use the
navigation on the right to jump directly to a specific **compliance domain**. Many of the controls are implemented with an [Azure Policy](../overview.md) initiative definition. To review the complete initiative definition, open **Policy** in the Azure portal and select the **Definitions** page.
-Then, find and select the **Azure Security Benchmark v1** Regulatory Compliance built-in
+Then, find and select the **Azure Security Benchmark v2** Regulatory Compliance built-in
initiative definition.
-This built-in initiative is deployed as part of the
-[Azure Security Benchmark v1 blueprint sample](../../blueprints/samples/azure-security-benchmark.md).
- > [!IMPORTANT] > Each control below is associated with one or more [Azure Policy](../overview.md) definitions. > These policies may help you [assess compliance](../how-to/get-compliance-data.md) with the
-> control; however, there often is not a one-to-one or complete match between a control and one or
-> more policies. As such, **Compliant** in Azure Policy refers only to the policy definitions
-> themselves; this doesn't ensure you're fully compliant with all requirements of a control. In
-> addition, the compliance standard includes controls that aren't addressed by any Azure Policy
-> definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your
-> overall compliance status. The associations between compliance domains, controls, and Azure Policy
-> definitions for this compliance standard may change over time. To view the change history, see the
-> [GitHub Commit History](https://github.com/Azure/azure-policy/commits/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/asb_audit.json).
+> control; however, there often is not a 1:1 or complete match between a control and one or more
+> policies. As such, **Compliant** in Azure Policy refers only to the policy definitions themselves;
+> this doesn't ensure you're fully compliant with all requirements of a control. In addition, the
+> compliance standard includes controls that aren't addressed by any Azure Policy definitions at
+> this time. Therefore, compliance in Azure Policy is only a partial view of your overall compliance
+> status. The associations between compliance domains, controls, and Azure Policy definitions for
+> this compliance standard may change over time. To view the change history, see the
+> [GitHub Commit History](https://github.com/Azure/azure-policy/commits/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/asb_v2.json).
## Network Security
-### Protect resources using Network Security Groups or Azure Firewall on your Virtual Network
+### Implement security for internal traffic
-**ID**: Azure Security Benchmark 1.1
+**ID**: Azure Security Benchmark NS-1
**Ownership**: Customer |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| |[Adaptive network hardening recommendations should be applied on internet facing virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08e6af2d-db70-460a-bfe9-d5bd474ba9d6) |Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json) | |[All Internet traffic should be routed via your deployed Azure Firewall](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffc5e4038-4584-4632-8c85-c0448d374b2c) |Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall |AuditIfNotExists, Disabled |[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ASC_All_Internet_traffic_should_be_routed_via_Azure_Firewall.json) |
-|[App Service should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2d21331d-a4c2-4def-a9ad-ee4e1e023beb) |This policy audits any App Service not configured to use a virtual network service endpoint. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_AppService_AuditIfNotExists.json) |
+|[API Management services should use a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef619a2c-cc4d-4d03-b2ba-8c94a834d85b) |Virtual network on API Management services of the specified SKU should be enabled. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/API%20Management/ApiManagement_VNETEnabled_Audit.json) |
|[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |
-|[Container Registry should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc4857be7-912a-4c75-87e6-e30292bcdf78) |This policy audits any Container Registry not configured to use a virtual network service endpoint. |Audit, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_ContainerRegistry_Audit.json) |
-|[Cosmos DB should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe0a2b1a3-f7f9-4569-807f-2a9edebdf4d9) |This policy audits any Cosmos DB not configured to use a virtual network service endpoint. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_CosmosDB_Audit.json) |
-|[Event Hub should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd63edb4a-c612-454d-b47d-191a724fcbf0) |This policy audits any Event Hub not configured to use a virtual network service endpoint. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_EventHub_AuditIfNotExists.json) |
+|[Azure Cosmos DB accounts should have firewall rules](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb) |Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_NetworkRulesExist_Audit.json) |
+|[Cognitive Services accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F037eea7a-bd0a-46c5-9a66-03aea78705d3) |Network access to Cognitive Services accounts should be restricted. Configure network rules so only applications from allowed networks can access the Cognitive Services account. To allow connections from specific internet or on-premises clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_NetworkAcls_Audit.json) |
+|[Container registries should not allow unrestricted network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd0793b48-0edc-4296-a390-4c75d1bdfd71) |Azure container registries by default accept connections over the internet from hosts on any network. To protect your registries from potential threats, allow access from only specific public IP addresses or address ranges. If your registry doesn't have an IP/firewall rule or a configured virtual network, it will appear in the unhealthy resources. Learn more about Container Registry network rules here: [https://aka.ms/acr/portal/public-network](https://aka.ms/acr/portal/public-network) and here [https://aka.ms/acr/vnet](https://aka.ms/acr/vnet). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_NetworkRulesExist_Audit.json) |
+|[Firewall should be enabled on Key Vault](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F55615ac9-af46-4a59-874e-391cc3dfb490) |Key vault's firewall prevents unauthorized traffic from reaching your key vault and provides an additional layer of protection for your secrets. Enable the firewall to make sure that only traffic from allowed networks can access your key vault. |Audit, Disabled |[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultFirewallEnabled_Audit.json) |
|[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) | |[IP Forwarding on your virtual machine should be disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd352bd5-2853-4985-bf0d-73806b4a5744) |Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_IPForwardingOnVirtualMachines_Audit.json) |
-|[Key Vault should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fea4d6841-2173-4317-9747-ff522a45120f) |This policy audits any Key Vault not configured to use a virtual network service endpoint. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_KeyVault_Audit.json) |
|[Management ports of virtual machines should be protected with just-in-time network access control](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb0f33259-77d7-4c9e-aac6-3aabcfae693c) |Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_JITNetworkAccess_Audit.json) | |[Management ports should be closed on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22730e10-96f6-4aac-ad84-9383d35b5917) |Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OpenManagementPortsOnVirtualMachines_Audit.json) |
-|[Private endpoint should be enabled for MariaDB servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a1302fb-a631-4106-9753-f3d494733990) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_EnablePrivateEndPoint_Audit.json) |
-|[Private endpoint should be enabled for MySQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7595c971-233d-4bcf-bd18-596129188c49) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnablePrivateEndPoint_Audit.json) |
-|[Private endpoint should be enabled for PostgreSQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0564d078-92f5-4f97-8398-b9f58a51f70b) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnablePrivateEndPoint_Audit.json) |
-|[Service Bus should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F235359c5-7c52-4b82-9055-01c75cf9f60e) |This policy audits any Service Bus not configured to use a virtual network service endpoint. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_ServiceBus_AuditIfNotExists.json) |
-|[SQL Server should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fae5d2f14-d830-42b6-9899-df6cfe9c71a3) |This policy audits any SQL Server not configured to use a virtual network service endpoint. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_SQLServer_AuditIfNotExists.json) |
+|[Public network access on Azure SQL Database should be disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b8ca024-1d5c-4dec-8995-b1a932b41780) |Disabling the public network access property improves security by ensuring your Azure SQL Database can only be accessed from a private endpoint. This configuration denies all logins that match IP or virtual network based firewall rules. |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PublicNetworkAccess_Audit.json) |
+|[Public network access should be disabled for Cognitive Services accounts](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0725b4dd-7e76-479c-a735-68e7ee23d5ca) |This policy audits any Cognitive Services account in your environment with public network access enabled. Public network access should be disabled so that only connections from private endpoints are allowed. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_DisablePublicNetworkAccess_Audit.json) |
+|[Public network access should be disabled for MariaDB servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffdccbe47-f3e3-4213-ad5d-ea459b2fa077) |Disable the public network access property to improve security and ensure your Azure Database for MariaDB can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_DisablePublicNetworkAccess_Audit.json) |
+|[Public network access should be disabled for MySQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd9844e8a-1437-4aeb-a32c-0c992f056095) |Disable the public network access property to improve security and ensure your Azure Database for MySQL can only be accessed from a private endpoint. This configuration strictly disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_DisablePublicNetworkAccess_Audit.json) |
+|[Public network access should be disabled for PostgreSQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb52376f7-9612-48a1-81cd-1ffe4b61032c) |Disable the public network access property to improve security and ensure your Azure Database for PostgreSQL can only be accessed from a private endpoint. This configuration disables access from any public address space outside of Azure IP range, and denies all logins that match IP or virtual network-based firewall rules. |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_DisablePublicNetworkAccess_Audit.json) |
|[Storage accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34c877ad-507e-4c82-993e-3452a6e0ad3c) |Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_NetworkAcls_Audit.json) |
-|[Storage Accounts should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F60d21c4f-21a3-4d94-85f4-b924e6aeeda4) |This policy audits any Storage Account not configured to use a virtual network service endpoint. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_StorageAccount_Audit.json) |
+|[Storage accounts should restrict network access using virtual network rules](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2a1a9cdf-e04d-429a-8416-3bfb72a1b26f) |Protect your storage accounts from potential threats using virtual network rules as a preferred method instead of IP-based filtering. Disabling IP-based filtering prevents public IPs from accessing your storage accounts. |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountOnlyVnetRulesEnabled_Audit.json) |
|[Subnets should be associated with a Network Security Group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe71308d3-144b-4262-b144-efdc3cc90517) |Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnSubnets_Audit.json) |
-|[Virtual machines should be connected to an approved virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd416745a-506c-48b6-8ab1-83cb814bcaa3) |This policy audits any virtual machine connected to a virtual network that is not approved. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ApprovedVirtualNetwork_Audit.json) |
-|[Virtual networks should use specified virtual network gateway](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff1776c76-f58c-4245-a8d0-2b207198dc8b) |This policy audits any virtual network if the default route does not point to the specified virtual network gateway. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetwork_ApprovedVirtualNetworkGateway_AuditIfNotExists.json) |
-### Monitor and log the configuration and traffic of Vnets, Subnets, and NICs
+### Connect private networks together
-**ID**: Azure Security Benchmark 1.2
+**ID**: Azure Security Benchmark NS-2
**Ownership**: Customer |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Network Watcher should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb6e2945c-0b7b-40f5-9233-7a5323b5cdc6) |Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure. |auditIfNotExists |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json) |
+|[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) |
+|[Azure Cache for Redis should reside within a virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7d092e0a-7acd-40d2-a975-dca21cae48c4) |Azure Virtual Network (VNet) deployment provides enhanced security and isolation for your Azure Cache for Redis, as well as subnets, access control policies, and other features to further restrict access.When an Azure Cache for Redis instance is configured with a VNet, it is not publicly addressable and can only be accessed from virtual machines and applications within the VNet. |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cache/RedisCache_CacheInVnet_Audit.json) |
+|[Azure Event Grid domains should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9830b652-8523-49cc-b1b3-e17dce1127ca) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your Event Grid domains instead of the entire service, you'll also be protected against data leakage risks.Learn more at: [https://aka.ms/privateendpoints](https://aka.ms/privateendpoints). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/EventGridDomains_EnablePrivateEndpoint_Audit.json) |
+|[Azure Event Grid topics should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4b90e17e-8448-49db-875e-bd83fb6f804f) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your topics instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/privateendpoints](https://aka.ms/privateendpoints). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/EventGridTopics_EnablePrivateEndpoint_Audit.json) |
+|[Azure Machine Learning workspaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F40cec1dd-a100-4920-b15b-3024fe8901ab) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Machine Learning workspaces instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/azureml-workspaces-privatelink](https://aka.ms/azureml-workspaces-privatelink). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PrivateLinkEnabled_Audit.json) |
+|[Azure SignalR Service should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F53503636-bcc9-4748-9663-5348217f160f) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your SignalR resources instead of the entire service, you'll also be protected against data leakage risks .Learn more at: [https://aka.ms/asrs/privatelink](https://aka.ms/asrs/privatelink). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SignalR/SignalR_PrivateEndpointEnabled_Audit.json) |
+|[Azure Spring Cloud should use network injection](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf35e2a4-ef96-44e7-a9ae-853dd97032c4) |Azure Spring Cloud instances should use virtual network injection for the following purposes: 1. Isolate Azure Spring Cloud from Internet. 2. Enable Azure Spring Cloud to interact with systems in either on premises data centers or Azure service in other virtual networks. 3. Empower customers to control inbound and outbound network communications for Azure Spring Cloud. |Audit, Disabled, Deny |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Platform/Spring_VNETEnabled_Audit.json) |
+|[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) |
+|[Private endpoint connections on Azure SQL Database should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7698e800-9299-47a6-b3b6-5a0fee576eed) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. |Audit, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PrivateEndpoint_Audit.json) |
+|[Private endpoint should be configured for Key Vault](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0bc445-3935-4915-9981-011aa2b46147) |Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. |Audit, Disabled |[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultPrivateEndpointEnabled_Audit.json) |
+|[Private endpoint should be enabled for MariaDB servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a1302fb-a631-4106-9753-f3d494733990) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_EnablePrivateEndPoint_Audit.json) |
+|[Private endpoint should be enabled for MySQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7595c971-233d-4bcf-bd18-596129188c49) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnablePrivateEndPoint_Audit.json) |
+|[Private endpoint should be enabled for PostgreSQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0564d078-92f5-4f97-8398-b9f58a51f70b) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnablePrivateEndPoint_Audit.json) |
+|[Storage account should use a private link connection](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6edd7eda-6dd8-40f7-810d-67160c639cd9) |Private links enforce secure communication, by providing private connectivity to the storage account |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountPrivateEndpointEnabled_Audit.json) |
+|[VM Image Builder templates should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2154edb9-244f-4741-9970-660785bccdaa) |Audit VM Image Builder templates that do not have a virtual network configured. When a virtual network is not configured, a public IP is created and used instead which may directly expose resources to the internet and increase the potential attack surface. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/VM%20Image%20Builder/PrivateLinkEnabled_Audit.json) |
-### Protect critical web applications
+### Establish private network access to Azure services
-**ID**: Azure Security Benchmark 1.3
+**ID**: Azure Security Benchmark NS-3
**Ownership**: Customer |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[CORS should not allow every resource to access your API App](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F358c20a6-3f9e-4f0e-97ff-c6ce485e2aac) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_ApiApp_Audit.json) |
-|[CORS should not allow every resource to access your Function Apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0820b7b9-23aa-4725-a1ce-ae4558f718e5) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json) |
-|[CORS should not allow every resource to access your Web Applications](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) |
-|[Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5bb220d9-2698-4ee4-8404-b9c30c9df609) |Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_ClientCert.json) |
-|[Remote debugging should be turned off for API Apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe9c8d085-d9cc-4b17-9cdc-059f1f01f19e) |Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_ApiApp_Audit.json) |
-|[Remote debugging should be turned off for Function Apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) |
-|[Remote debugging should be turned off for Web Applications](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcb510bfd-1cba-4d9f-a230-cb0976f4bb71) |Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_WebApp_Audit.json) |
+|[App Configuration should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fca610c1d-041c-4332-9d88-7ed3094967c7) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your app configuration instances instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/appconfig/private-endpoint](https://aka.ms/appconfig/private-endpoint). |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Configuration/PrivateLink_Audit.json) |
+|[Azure Event Grid domains should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9830b652-8523-49cc-b1b3-e17dce1127ca) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your Event Grid domains instead of the entire service, you'll also be protected against data leakage risks.Learn more at: [https://aka.ms/privateendpoints](https://aka.ms/privateendpoints). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/EventGridDomains_EnablePrivateEndpoint_Audit.json) |
+|[Azure Event Grid topics should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4b90e17e-8448-49db-875e-bd83fb6f804f) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your topics instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/privateendpoints](https://aka.ms/privateendpoints). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Grid/EventGridTopics_EnablePrivateEndpoint_Audit.json) |
+|[Azure Machine Learning workspaces should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F40cec1dd-a100-4920-b15b-3024fe8901ab) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your Azure Machine Learning workspaces instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/azureml-workspaces-privatelink](https://aka.ms/azureml-workspaces-privatelink). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_PrivateLinkEnabled_Audit.json) |
+|[Azure SignalR Service should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F53503636-bcc9-4748-9663-5348217f160f) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network. By mapping private endpoints to your SignalR resources instead of the entire service, you'll also be protected against data leakage risks .Learn more at: [https://aka.ms/asrs/privatelink](https://aka.ms/asrs/privatelink). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SignalR/SignalR_PrivateEndpointEnabled_Audit.json) |
+|[Container registries should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8eef0a8-67cf-4eb4-9386-14b0e78733d4) |Azure Private Link lets you connect your virtual network to Azure services without a public IP address at the source or destination. The private link platform handles the connectivity between the consumer and services over the Azure backbone network.By mapping private endpoints to your container registries instead of the entire service, you'll also be protected against data leakage risks. Learn more at: [https://aka.ms/acr/private-link](https://aka.ms/acr/private-link). |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_PrivateEndpointEnabled_Audit.json) |
+|[Private endpoint connections on Azure SQL Database should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7698e800-9299-47a6-b3b6-5a0fee576eed) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure SQL Database. |Audit, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_PrivateEndpoint_Audit.json) |
+|[Private endpoint should be configured for Key Vault](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0bc445-3935-4915-9981-011aa2b46147) |Private link provides a way to connect Key Vault to your Azure resources without sending traffic over the public internet. Private link provides defense in depth protection against data exfiltration. |Audit, Disabled |[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultPrivateEndpointEnabled_Audit.json) |
+|[Private endpoint should be enabled for MariaDB servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a1302fb-a631-4106-9753-f3d494733990) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_EnablePrivateEndPoint_Audit.json) |
+|[Private endpoint should be enabled for MySQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7595c971-233d-4bcf-bd18-596129188c49) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnablePrivateEndPoint_Audit.json) |
+|[Private endpoint should be enabled for PostgreSQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0564d078-92f5-4f97-8398-b9f58a51f70b) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnablePrivateEndPoint_Audit.json) |
+|[Storage account should use a private link connection](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6edd7eda-6dd8-40f7-810d-67160c639cd9) |Private links enforce secure communication, by providing private connectivity to the storage account |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountPrivateEndpointEnabled_Audit.json) |
+|[VM Image Builder templates should use private link](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2154edb9-244f-4741-9970-660785bccdaa) |Audit VM Image Builder templates that do not have a virtual network configured. When a virtual network is not configured, a public IP is created and used instead which may directly expose resources to the internet and increase the potential attack surface. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/VM%20Image%20Builder/PrivateLinkEnabled_Audit.json) |
-### Deny communications with known malicious IP addresses
+### Protect applications and services from external network attacks
-**ID**: Azure Security Benchmark 1.4
+**ID**: Azure Security Benchmark NS-4
**Ownership**: Customer |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| |[Adaptive network hardening recommendations should be applied on internet facing virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08e6af2d-db70-460a-bfe9-d5bd474ba9d6) |Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json) | |[All Internet traffic should be routed via your deployed Azure Firewall](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffc5e4038-4584-4632-8c85-c0448d374b2c) |Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall |AuditIfNotExists, Disabled |[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ASC_All_Internet_traffic_should_be_routed_via_Azure_Firewall.json) |
+|[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |
+|[Azure Cosmos DB accounts should have firewall rules](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F862e97cf-49fc-4a5c-9de4-40d4e2e7c8eb) |Firewall rules should be defined on your Azure Cosmos DB accounts to prevent traffic from unauthorized sources. Accounts that have at least one IP rule defined with the virtual network filter enabled are deemed compliant. Accounts disabling public access are also deemed compliant. |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_NetworkRulesExist_Audit.json) |
|[Azure DDoS Protection Standard should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa7aca53f-2ed4-4466-a25e-0b45ade68efd) |DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableDDoSProtection_Audit.json) |
+|[Firewall should be enabled on Key Vault](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F55615ac9-af46-4a59-874e-391cc3dfb490) |Key vault's firewall prevents unauthorized traffic from reaching your key vault and provides an additional layer of protection for your secrets. Enable the firewall to make sure that only traffic from allowed networks can access your key vault. |Audit, Disabled |[1.0.2-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/AzureKeyVaultFirewallEnabled_Audit.json) |
+|[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) |
+|[IP Forwarding on your virtual machine should be disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd352bd5-2853-4985-bf0d-73806b4a5744) |Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_IPForwardingOnVirtualMachines_Audit.json) |
|[Management ports of virtual machines should be protected with just-in-time network access control](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb0f33259-77d7-4c9e-aac6-3aabcfae693c) |Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_JITNetworkAccess_Audit.json) |
+|[RDP access from the Internet should be blocked](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe372f825-a257-4fb8-9175-797a8a8627d6) |This policy audits any network security rule that allows RDP access from Internet |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_RDPAccess_Audit.json) |
+|[SSH access from the Internet should be blocked](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2c89a2e5-7285-40fe-afe0-ae8654b92fab) |This policy audits any network security rule that allows SSH access from Internet |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkSecurityGroup_SSHAccess_Audit.json) |
+|[Storage accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34c877ad-507e-4c82-993e-3452a6e0ad3c) |Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_NetworkAcls_Audit.json) |
+|[Subnets should be associated with a Network Security Group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe71308d3-144b-4262-b144-efdc3cc90517) |Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnSubnets_Audit.json) |
+|[Web Application Firewall (WAF) should be enabled for Application Gateway](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F564feb30-bf6a-4854-b4bb-0d2d2d1e6c66) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AppGatewayEnabled_Audit.json) |
+|[Web Application Firewall (WAF) should be enabled for Azure Front Door Service service](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F055aa869-bc98-4af8-bafc-23f1ab6ffe2c) |Deploy Azure Web Application Firewall (WAF) in front of public facing web applications for additional inspection of incoming traffic. Web Application Firewall (WAF) provides centralized protection of your web applications from common exploits and vulnerabilities such as SQL injections, Cross-Site Scripting, local and remote file executions. You can also restrict access to your web applications by countries, IP address ranges, and other http(s) parameters via custom rules. |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/WAF_AFD_Enabled_Audit.json) |
-### Record network packets and flow logs
-
-**ID**: Azure Security Benchmark 1.5
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Network Watcher should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb6e2945c-0b7b-40f5-9233-7a5323b5cdc6) |Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure. |auditIfNotExists |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json) |
-
-### Use automated tools to monitor network resource configurations and detect changes
-
-**ID**: Azure Security Benchmark 1.11
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
-|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenUser_Prerequisite.json) |
-|[Deploy the Windows Guest Configuration extension to enable Guest Configuration assignments on Windows VMs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F385f5831-96d4-41db-9a3c-cd3af78aaae6) |This policy deploys the Windows Guest Configuration extension to Windows virtual machines hosted in Azure that are supported by Guest Configuration. The Windows Guest Configuration extension is a prerequisite for all Windows Guest Configuration assignments and must deployed to machines before using any Windows Guest Configuration policy definition. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |deployIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_DeployExtensionWindows_Prerequisite.json) |
-|[Windows machines should meet requirements for 'Administrative Templates - Network'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F67e010c1-640d-438e-a3a5-feaccb533a98) |Windows machines should have the specified Group Policy settings in the category 'Administrative Templates - Network' for guest logons, simultaneous connections, network bridge, ICS, and multicast name resolution. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministrativeTemplatesNetwork_AINE.json) |
-|[Windows machines should meet requirements for 'Security Options - Microsoft Network Server'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcaf2d518-f029-4f6b-833b-d7081702f253) |Windows machines should have the specified Group Policy settings in the category 'Security Options - Microsoft Network Server' for disabling SMB v1 server. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsMicrosoftNetworkServer_AINE.json) |
-|[Windows machines should meet requirements for 'Security Options - Network Access'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3ff60f98-7fa4-410a-9f7f-0b00f5afdbdd) |Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Access' for including access for anonymous users, local accounts, and remote access to the registry. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsNetworkAccess_AINE.json) |
-|[Windows machines should meet requirements for 'Security Options - Network Security'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1221c620-d201-468c-81e7-2817e6107e84) |Windows machines should have the specified Group Policy settings in the category 'Security Options - Network Security' for including Local System behavior, PKU2U, LAN Manager, LDAP client, and NTLM SSP. This policy requires that the Guest Configuration prerequisites have been deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecurityOptionsNetworkSecurity_AINE.json) |
-
-## Logging and Monitoring
-
-### Configure central security log management
-
-**ID**: Azure Security Benchmark 2.2
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Audit Windows machines on which the Log Analytics agent is not connected as expected](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6265018c-d7e2-432f-a75d-094d5f6f4465) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter. |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsLogAnalyticsAgentConnection_AINE.json) |
-|[Auto provisioning of the Log Analytics agent should be enabled on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F475aae12-b88a-4572-8b36-9b712b2b3a17) |To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Automatic_provisioning_log_analytics_monitoring_agent.json) |
-|[Azure Monitor log profile should collect logs for categories 'write,' 'delete,' and 'action'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1a4e592a-6a6e-44a5-9814-e36264ca96e7) |This policy ensures that a log profile collects logs for categories 'write,' 'delete,' and 'action' |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_CaptureAllCategories.json) |
-|[Azure Monitor should collect activity logs from all regions](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F41388f1c-2db0-4c25-95b2-35d7f5ccbfa9) |This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_CaptureAllRegions.json) |
-|[The Log Analytics agent should be installed on Virtual Machine Scale Sets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fefbde977-ba53-4479-b8e9-10b957924fbf) |This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VMSS_LogAnalyticsAgent_AuditIfNotExists.json) |
-|[The Log Analytics agent should be installed on virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa70ca396-0a34-413a-88e1-b956c1e683be) |This policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VirtualMachines_LogAnalyticsAgent_AuditIfNotExists.json) |
-
-### Enable audit logging for Azure resources
+### Deploy intrusion detection/intrusion prevention systems (IDS/IPS)
-**ID**: Azure Security Benchmark 2.3
+**ID**: Azure Security Benchmark NS-5
**Ownership**: Customer |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Audit diagnostic setting](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7f89b1eb-583c-429a-8828-af049802c1d9) |Audit diagnostic setting for selected resource types |AuditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/DiagnosticSettingsForTypes_Audit.json) |
-|[Auditing on SQL server should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) |Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) |
-|[Diagnostic logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) |Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit.json) |
-|[Diagnostic logs in Azure Data Lake Store should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057ef27e-665e-4328-8ea3-04b3122bd9fb) |Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) |
-|[Diagnostic logs in Azure Stream Analytics should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9be5368-9bf5-4b84-9e0a-7850da98bb46) |Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json) |
-|[Diagnostic logs in Batch accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F428256e6-1fac-4f48-a757-df34c2b3336d) |Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json) |
-|[Diagnostic logs in Data Lake Analytics should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc95c74d9-38fe-4f0d-af86-0c7d626a315c) |Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeAnalytics_AuditDiagnosticLog_Audit.json) |
-|[Diagnostic logs in Event Hub should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F83a214f7-d01a-484b-91a9-ed54470c9a6a) |Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_AuditDiagnosticLog_Audit.json) |
-|[Diagnostic logs in IoT Hub should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F383856f8-de7f-44a2-81fc-e5135b5c2aa4) |Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTHub_AuditDiagnosticLog_Audit.json) |
-|[Diagnostic logs in Key Vault should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcf820ca0-f99e-4f3e-84fb-66e913812d21) |Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_AuditDiagnosticLog_Audit.json) |
-|[Diagnostic logs in Logic Apps should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34f95f76-5386-4de7-b824-0d8478470c9d) |Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Logic%20Apps/LogicApps_AuditDiagnosticLog_Audit.json) |
-|[Diagnostic logs in Search services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb4330a05-a843-4bc8-bf9a-cacce50c67f4) |Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_AuditDiagnosticLog_Audit.json) |
-|[Diagnostic logs in Service Bus should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff8d36e2f-389b-4ee4-898d-21aeb69a0f45) |Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Bus/ServiceBus_AuditDiagnosticLog_Audit.json) |
-|[Diagnostic logs in Virtual Machine Scale Sets should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7c1b1214-f927-48bf-8882-84f0af6588b1) |It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ServiceFabric_and_VMSS_AuditVMSSDiagnostics.json) |
-|[SQL Auditing settings should have Action-Groups configured to capture critical activities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7ff426e2-515f-405a-91c8-4f2333442eb5) |The AuditActionsAndGroups property should contain at least SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP, FAILED_DATABASE_AUTHENTICATION_GROUP, BATCH_COMPLETED_GROUP to ensure a thorough audit logging |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_ActionsAndGroups_Audit.json) |
-
-### Collect security logs from operating systems
-
-**ID**: Azure Security Benchmark 2.4
-**Ownership**: Customer
+|[All Internet traffic should be routed via your deployed Azure Firewall](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffc5e4038-4584-4632-8c85-c0448d374b2c) |Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall |AuditIfNotExists, Disabled |[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ASC_All_Internet_traffic_should_be_routed_via_Azure_Firewall.json) |
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[Audit Windows machines on which the Log Analytics agent is not connected as expected](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6265018c-d7e2-432f-a75d-094d5f6f4465) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the agent is not installed, or if it is installed but the COM object AgentConfigManager.MgmtSvcCfg returns that it is registered to a workspace other than the ID specified in the policy parameter. |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsLogAnalyticsAgentConnection_AINE.json) |
-|[Auto provisioning of the Log Analytics agent should be enabled on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F475aae12-b88a-4572-8b36-9b712b2b3a17) |To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Automatic_provisioning_log_analytics_monitoring_agent.json) |
-|[The Log Analytics agent should be installed on Virtual Machine Scale Sets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fefbde977-ba53-4479-b8e9-10b957924fbf) |This policy audits any Windows/Linux Virtual Machine Scale Sets if the Log Analytics agent is not installed. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VMSS_LogAnalyticsAgent_AuditIfNotExists.json) |
-|[The Log Analytics agent should be installed on virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa70ca396-0a34-413a-88e1-b956c1e683be) |This policy audits any Windows/Linux virtual machines if the Log Analytics agent is not installed. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/VirtualMachines_LogAnalyticsAgent_AuditIfNotExists.json) |
+## Identity Management
-### Configure security log storage retention
+### Standardize Azure Active Directory as the central identity and authentication system
-**ID**: Azure Security Benchmark 2.5
+**ID**: Azure Security Benchmark IM-1
**Ownership**: Customer |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[SQL servers should be configured with 90 days auditing retention or higher.](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F89099bee-89e0-4b26-a5f4-165451757743) |SQL servers should be configured with 90 days auditing retention or higher. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditingRetentionDays_Audit.json) |
+|[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) |
+|[Managed identity should be used in your API App](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc4d441f8-f9d9-4a9e-9cef-e82117cb3eef) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_ApiApp_Audit.json) |
+|[Managed identity should be used in your Function App](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) |
+|[Managed identity should be used in your Web App](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) |
+|[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) |
-### Enable alerts for anomalous activity
+### Manage application identities securely and automatically
-**ID**: Azure Security Benchmark 2.7
+**ID**: Azure Security Benchmark IM-2
**Ownership**: Customer |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Advanced data security should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) |
-|[Advanced data security should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9) |Audit SQL servers without Advanced Data Security |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) |
+|[Managed identity should be used in your API App](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc4d441f8-f9d9-4a9e-9cef-e82117cb3eef) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_ApiApp_Audit.json) |
+|[Managed identity should be used in your Function App](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) |
+|[Managed identity should be used in your Web App](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) |
+|[Service principals should be used to protect your subscriptions instead of management certificates](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6646a0bd-e110-40ca-bb97-84fcee63c414) |Management certificates allow anyone who authenticates with them to manage the subscription(s) they are associated with. To manage subscriptions more securely, use of service principals with Resource Manager is recommended to limit the impact of a certificate compromise. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UseServicePrincipalToProtectSubscriptions.json) |
-### Centralize anti-malware logging
+### Use strong authentication controls for all Azure Active Directory based access
-**ID**: Azure Security Benchmark 2.8
+**ID**: Azure Security Benchmark IM-4
**Ownership**: Customer |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Endpoint protection solution should be installed on virtual machine scale sets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F26a828e1-e88f-464e-bbb3-c134a282b9de) |Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingEndpointProtection_Audit.json) |
-|[Microsoft Antimalware for Azure should be configured to automatically update protection signatures](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc43e4a30-77cb-48ab-a4dd-93f175c63b57) |This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VirtualMachines_AntiMalwareAutoUpdate_AuditIfNotExists.json) |
-|[Monitor missing Endpoint Protection in Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf6cd1bd-1635-48cb-bde7-5b15693900b9) |Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json) |
+|[MFA should be enabled accounts with write permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9297c21d-2ed6-4474-b48f-163f75654ce3) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForWritePermissions_Audit.json) |
+|[MFA should be enabled on accounts with owner permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faa633080-8b72-40c4-a2d7-d00c03e80bed) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForOwnerPermissions_Audit.json) |
+|[MFA should be enabled on accounts with read permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe3576e28-8b17-4677-84c3-db2990658d64) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForReadPermissions_Audit.json) |
-## Identity and Access Control
+## Privileged Access
-### Maintain an inventory of administrative accounts
+### Protect and limit highly privileged users
-**ID**: Azure Security Benchmark 3.1
+**ID**: Azure Security Benchmark PA-1
**Ownership**: Customer |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
@@ -223,72 +191,79 @@ This built-in initiative is deployed as part of the
|[External accounts with owner permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff8456c1c-aa66-4dfb-861a-25d127b775c9) |External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWithOwnerPermissions_Audit.json) | |[There should be more than one owner assigned to your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F09024ccc-0c5f-475e-9457-b7c0d9ed487b) |It is recommended to designate more than one subscription owner in order to have administrator access redundancy. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateMoreThanOneOwner_Audit.json) |
-### Use dedicated administrative accounts
+### Review and reconcile user access regularly
-**ID**: Azure Security Benchmark 3.3
+**ID**: Azure Security Benchmark PA-3
**Ownership**: Customer |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[A maximum of 3 owners should be designated for your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4f11b553-d42e-4e3a-89be-32ca364cad4c) |It is recommended to designate up to 3 subscription owners in order to reduce the potential for breach by a compromised owner. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateLessThanXOwners_Audit.json) |
-|[Audit Windows machines missing any of specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F30f71ea1-ac77-4f26-9fc5-2d926bbd4ba7) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the local Administrators group does not contain one or more members that are listed in the policy parameter. |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToInclude_AINE.json) |
-|[Audit Windows machines that have extra accounts in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3d2a3320-2a72-4c67-ac5f-caa40fbee2b2) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the local Administrators group contains members that are not listed in the policy parameter. |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembers_AINE.json) |
-|[Audit Windows machines that have the specified members in the Administrators group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F69bf4abd-ca1e-4cf6-8b5a-762d42e61d4f) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the local Administrators group contains one or more of the members listed in the policy parameter. |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AdministratorsGroupMembersToExclude_AINE.json) |
-|[There should be more than one owner assigned to your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F09024ccc-0c5f-475e-9457-b7c0d9ed487b) |It is recommended to designate more than one subscription owner in order to have administrator access redundancy. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_DesignateMoreThanOneOwner_Audit.json) |
+|[Deprecated accounts should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6b1cbf55-e8b6-442f-ba4c-7246b6381474) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccounts_Audit.json) |
+|[Deprecated accounts with owner permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Febb62a0c-3560-49e1-89ed-27e074e9f8ad) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccountsWithOwnerPermissions_Audit.json) |
+|[External accounts with owner permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff8456c1c-aa66-4dfb-861a-25d127b775c9) |External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWithOwnerPermissions_Audit.json) |
+|[External accounts with read permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f76cf89-fbf2-47fd-a3f4-b891fa780b60) |External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsReadPermissions_Audit.json) |
+|[External accounts with write permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c607a2e-c700-4744-8254-d77e7c9eb5e4) |External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWritePermissions_Audit.json) |
-### Use multi-factor authentication for all Azure Active Directory based access
+### Follow just enough administration (least privilege principle)
-**ID**: Azure Security Benchmark 3.5
+**ID**: Azure Security Benchmark PA-7
**Ownership**: Customer |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[MFA should be enabled accounts with write permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9297c21d-2ed6-4474-b48f-163f75654ce3) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with write privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForWritePermissions_Audit.json) |
-|[MFA should be enabled on accounts with owner permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faa633080-8b72-40c4-a2d7-d00c03e80bed) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with owner permissions to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForOwnerPermissions_Audit.json) |
-|[MFA should be enabled on accounts with read permissions on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe3576e28-8b17-4677-84c3-db2990658d64) |Multi-Factor Authentication (MFA) should be enabled for all subscription accounts with read privileges to prevent a breach of accounts or resources. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableMFAForReadPermissions_Audit.json) |
+|[Audit usage of custom RBAC rules](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) |
+|[Custom subscription owner roles should not exist](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F10ee2ea2-fb4d-45b8-a7e9-a2e770044cd9) |This policy ensures that no custom subscription owner roles exist. |Audit, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/CustomSubscription_OwnerRole_Audit.json) |
+|[Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) |
+
+## Data Protection
-### Use Azure Active Directory
+### Discovery, classify and label sensitive data
-**ID**: Azure Security Benchmark 3.9
-**Ownership**: Customer
+**ID**: Azure Security Benchmark DP-1
+**Ownership**: Shared
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[An Azure Active Directory administrator should be provisioned for SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f314764-cb73-4fc9-b863-8eca98ac36e9) |Audit provisioning of an Azure Active Directory administrator for your SQL server to enable Azure AD authentication. Azure AD authentication enables simplified permission management and centralized identity management of database users and other Microsoft services |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SQL_DB_AuditServerADAdmins_Audit.json) |
-|[Service Fabric clusters should only use Azure Active Directory for client authentication](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb54ed75b-3e1a-44ac-a333-05ba39b99ff0) |Audit usage of client authentication only via Azure Active Directory in Service Fabric |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditADAuth_Audit.json) |
+|[Sensitive data in your SQL databases should be classified](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcc9835f2-9f6b-4cc8-ab4a-f8ef615eb349) |Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security |AuditIfNotExists, Disabled |[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbDataClassification_Audit.json) |
-### Regularly review and reconcile user access
+### Protect sensitive data
-**ID**: Azure Security Benchmark 3.10
-**Ownership**: Customer
+**ID**: Azure Security Benchmark DP-2
+**Ownership**: Shared
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Deprecated accounts should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6b1cbf55-e8b6-442f-ba4c-7246b6381474) |Deprecated accounts should be removed from your subscriptions. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccounts_Audit.json) |
-|[Deprecated accounts with owner permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Febb62a0c-3560-49e1-89ed-27e074e9f8ad) |Deprecated accounts with owner permissions should be removed from your subscription. Deprecated accounts are accounts that have been blocked from signing in. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveDeprecatedAccountsWithOwnerPermissions_Audit.json) |
-|[External accounts with owner permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff8456c1c-aa66-4dfb-861a-25d127b775c9) |External accounts with owner permissions should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWithOwnerPermissions_Audit.json) |
-|[External accounts with read permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f76cf89-fbf2-47fd-a3f4-b891fa780b60) |External accounts with read privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsReadPermissions_Audit.json) |
-|[External accounts with write permissions should be removed from your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5c607a2e-c700-4744-8254-d77e7c9eb5e4) |External accounts with write privileges should be removed from your subscription in order to prevent unmonitored access. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_RemoveExternalAccountsWritePermissions_Audit.json) |
-
-## Data Protection
+|[Advanced data security should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) |
+|[Azure Defender for Azure SQL Database servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7fe3b40f-802b-4cdd-8bd4-fd799c948cc2) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServers_Audit.json) |
+|[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) |
+|[Azure Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F308fbb08-4ab8-4e67-9b29-592e93fb94fa) |Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnStorageAccounts_Audit.json) |
+|[Cognitive Services accounts should enable data encryption](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2bdd0062-9d75-436e-89df-487dd8e4b3c7) |This policy audits any Cognitive Services account not using data encryption. For each Cognitive Services account with storage, should enable data encryption with either customer managed or Microsoft managed key. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_Encryption_Audit.json) |
+|[Disk encryption should be applied on virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |
+|[Storage account public access should be disallowed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4fa4b6c0-31ca-4c0d-b10d-24b96f62a751) |Anonymous public read access to containers and blobs in Azure Storage is a convenient way to share data but might present security risks. To prevent data breaches caused by undesired anonymous access, Microsoft recommends preventing public access to a storage account unless your scenario requires it. |audit, deny, disabled |[2.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/ASC_Storage_DisallowPublicBlobAccess_Audit.json) |
+|[Transparent Data Encryption on SQL databases should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17k78e20-9358-41c9-923c-fb736d382a12) |Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json) |
-### Maintain an inventory of sensitive Information
+### Monitor for unauthorized transfer of sensitive data
-**ID**: Azure Security Benchmark 4.1
-**Ownership**: Customer
+**ID**: Azure Security Benchmark DP-3
+**Ownership**: Shared
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Sensitive data in your SQL databases should be classified](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcc9835f2-9f6b-4cc8-ab4a-f8ef615eb349) |Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security |AuditIfNotExists, Disabled |[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbDataClassification_Audit.json) |
+|[Advanced data security should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) |
+|[Azure Defender for Azure SQL Database servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7fe3b40f-802b-4cdd-8bd4-fd799c948cc2) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServers_Audit.json) |
+|[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) |
+|[Azure Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F308fbb08-4ab8-4e67-9b29-592e93fb94fa) |Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnStorageAccounts_Audit.json) |
-### Encrypt all sensitive information in transit
+### Encrypt sensitive information in transit
-**ID**: Azure Security Benchmark 4.4
+**ID**: Azure Security Benchmark DP-4
**Ownership**: Shared |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| |[API App should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb7ddfbdc-1260-477d-91fd-98bd9be789a6) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceApiApp_AuditHTTP_Audit.json) |
+|[Audit Windows web servers that are not using secure communication protocols](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5752e6d6-1206-46d8-8ab1-ecc2f71a8112) |Requires that prerequisites are deployed to the policy assignment scope. For details, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). Machines are non-compliant if the registry key HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols includes protocols less secure than what is selected in the policy parameter. |auditIfNotExists |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_SecureWebProtocol_AINE.json) |
+|[Enforce HTTPS ingress in Kubernetes cluster](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1a5b4dca-0b6f-4cf5-907c-56316bc1bf3d) |This policy enforces HTTPS ingress in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, deny, disabled |[5.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/IngressHttpsOnly.json) |
|[Enforce SSL connection should be enabled for MySQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe802a67a-daf5-4436-9ea6-f6d821dd0c5d) |Azure Database for MySQL supports connecting your Azure Database for MySQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableSSL_Audit.json) | |[Enforce SSL connection should be enabled for PostgreSQL database servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd158790f-bfb0-486c-8631-2dc6b4e8e6af) |Azure Database for PostgreSQL supports connecting your Azure Database for PostgreSQL server to client applications using Secure Sockets Layer (SSL). Enforcing SSL connections between your database server and your client applications helps protect against 'man in the middle' attacks by encrypting the data stream between the server and your application. This configuration enforces that SSL is always enabled for accessing your database server. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableSSL_Audit.json) | |[FTPS only should be required in your API App](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9a1b8c48-453a-4044-86c3-d8bfd823e4f5) |Enable FTPS enforcement for enhanced security |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditFTPS_ApiApp_Audit.json) |
@@ -302,139 +277,214 @@ This built-in initiative is deployed as part of the
|[Secure transfer to storage accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F404c3081-a854-4457-ae30-26a93ef643f9) |Audit requirement of Secure transfer in your storage account. Secure transfer is an option that forces your storage account to accept requests only from secure connections (HTTPS). Use of HTTPS ensures authentication between the server and the service and protects data in transit from network layer attacks such as man-in-the-middle, eavesdropping, and session-hijacking |Audit, Deny, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_AuditForHTTPSEnabled_Audit.json) | |[Web Application should only be accessible over HTTPS](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4af4a39-4135-47fb-b175-47fbdf85311d) |Use of HTTPS ensures server/service authentication and protects data in transit from network layer eavesdropping attacks. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppServiceWebapp_AuditHTTP_Audit.json) |
-### Use an active discovery tool to identify sensitive data
+### Encrypt sensitive data at rest
-**ID**: Azure Security Benchmark 4.5
-**Ownership**: Customer
+**ID**: Azure Security Benchmark DP-5
+**Ownership**: Shared
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Advanced data security should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) |
-|[Advanced data security should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb4388-5bf4-4ad7-ba82-2cd2f41ceae9) |Audit SQL servers without Advanced Data Security |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_AdvancedDataSecurity_Audit.json) |
-|[Sensitive data in your SQL databases should be classified](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcc9835f2-9f6b-4cc8-ab4a-f8ef615eb349) |Azure Security Center monitors the data discovery and classification scan results for your SQL databases and provides recommendations to classify the sensitive data in your databases for better monitoring and security |AuditIfNotExists, Disabled |[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbDataClassification_Audit.json) |
+|[Automation account variables should be encrypted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3657f5a0-770e-44a3-b44e-9431ba1e9735) |It is important to enable encryption of Automation account variable assets when storing sensitive data |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/Automation_AuditUnencryptedVars_Audit.json) |
+|[Azure Cosmos DB accounts should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1f905d99-2ab7-462c-a6b0-f709acca6c8f) |Use customer-managed keys to manage the encryption at rest of your Azure Cosmos DB. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at [https://aka.ms/cosmosdb-cmk](https://aka.ms/cosmosdb-cmk). |audit, deny, disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cosmos%20DB/Cosmos_CMK_Deny.json) |
+|[Azure Machine Learning workspaces should be encrypted with a customer-managed key (CMK)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fba769a63-b8cc-4b2d-abf6-ac33c7204be8) |Manage encryption at rest of your Azure Machine Learning workspace data with customer-managed keys (CMK). By default, customer data is encrypted with service-managed keys, but CMKs are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at [https://aka.ms/azureml-workspaces-cmk](https://aka.ms/azureml-workspaces-cmk). |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Machine%20Learning/Workspace_CMKEnabled_Audit.json) |
+|[Bring your own key data protection should be enabled for MySQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F83cef61d-dbd1-4b20-a4fc-5fbc7da10833) |Use customer-managed keys to manage the encryption at rest of your MySQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnableByok_Audit.json) |
+|[Bring your own key data protection should be enabled for PostgreSQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F18adea5e-f416-4d0f-8aa8-d24321e3e274) |Use customer-managed keys to manage the encryption at rest of your PostgreSQL servers. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnableByok_Audit.json) |
+|[Cognitive Services accounts should enable data encryption with a customer-managed key (CMK)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F67121cc7-ff39-4ab8-b7e3-95b84dab487d) |Customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data stored in Cognitive Services to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at [https://aka.ms/cosmosdb-cmk](https://aka.ms/cosmosdb-cmk). |Audit, Deny, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_CustomerManagedKey_Audit.json) |
+|[Cognitive Services accounts should use customer owned storage or enable data encryption.](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F11566b39-f7f7-4b82-ab06-68d8700eb0a4) |This policy audits any Cognitive Services account not using customer owned storage nor data encryption. For each Cognitive Services account with storage, use either customer owned storage or enable data encryption. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Cognitive%20Services/CognitiveServices_BYOX_Audit.json) |
+|[Container registries should be encrypted with a customer-managed key (CMK)](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5b9159ae-1701-4a6f-9a7a-aa9c8ddd0580) |Use customer-managed keys to manage the encryption at rest of the contents of your registries. By default, the data is encrypted at rest with service-managed keys, but customer-managed keys (CMK) are commonly required to meet regulatory compliance standards. CMKs enable the data to be encrypted with an Azure Key Vault key created and owned by you. You have full control and responsibility for the key lifecycle, including rotation and management. Learn more about CMK encryption at [https://aka.ms/acr/CMK](https://aka.ms/acr/CMK). |Audit, Deny, Disabled |[1.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Container%20Registry/ACR_CMKEncryptionEnabled_Audit.json) |
+|[Disk encryption should be applied on virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |
+|[Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F617c02be-7f02-4efd-8836-3180d47b6c68) |Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditClusterProtectionLevel_Audit.json) |
+|[SQL managed instances should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F048248b0-55cd-46da-b1ff-39efd52db260) |Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_EnsureServerTDEisEncryptedWithYourOwnKey_Audit.json) |
+|[SQL servers should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0d134df8-db83-46fb-ad72-fe0c9428c8dd) |Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_EnsureServerTDEisEncryptedWithYourOwnKey_Audit.json) |
+|[Storage accounts should use customer-managed key (CMK) for encryption](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6fac406b-40ca-413b-bf8e-0bf964659c25) |Secure your storage account with greater flexibility using customer-managed keys (CMKs). When you specify a CMK, that key is used to protect and control access to the key that encrypts your data. Using CMKs provides additional capabilities to control rotation of the key encryption key or cryptographically erase data. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/StorageAccountCustomerManagedKeyEnabled_Audit.json) |
+|[Transparent Data Encryption on SQL databases should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17k78e20-9358-41c9-923c-fb736d382a12) |Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json) |
-### Use Azure RBAC to control access to resources
+## Asset Management
-**ID**: Azure Security Benchmark 4.6
+### Use only approved Azure services
+
+**ID**: Azure Security Benchmark AM-3
**Ownership**: Customer |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Audit usage of custom RBAC rules](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa451c1ef-c6ca-483d-87ed-f49761e3ffb5) |Audit built-in roles such as 'Owner, Contributer, Reader' instead of custom RBAC roles, which are error prone. Using custom roles is treated as an exception and requires a rigorous review and threat modeling |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/General/Subscription_AuditCustomRBACRoles_Audit.json) |
-|[Role-Based Access Control (RBAC) should be used on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fac4a19c2-fa67-49b4-8ae5-0b2e78c49457) |To provide granular filtering on the actions that users can perform, use Role-Based Access Control (RBAC) to manage permissions in Kubernetes Service Clusters and configure relevant authorization policies. |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableRBAC_KubernetesService_Audit.json) |
+|[Storage accounts should be migrated to new Azure Resource Manager resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F37e0d2fe-28a5-43d6-a273-67d37d1f5606) |Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Classic_AuditForClassicStorages_Audit.json) |
+|[Virtual machines should be migrated to new Azure Resource Manager resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1d84d5fb-01f6-4d12-ba4f-4a26081d403d) |Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ClassicCompute_Audit.json) |
-### Encrypt sensitive information at rest
+### Use only approved applications in compute resources
-**ID**: Azure Security Benchmark 4.8
+**ID**: Azure Security Benchmark AM-6
**Ownership**: Customer |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Automation account variables should be encrypted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3657f5a0-770e-44a3-b44e-9431ba1e9735) |It is important to enable encryption of Automation account variable assets when storing sensitive data |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Automation/Automation_AuditUnencryptedVars_Audit.json) |
-|[Disk encryption should be applied on virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0961003e-5a0a-4549-abde-af6a37f2724d) |Virtual machines without an enabled disk encryption will be monitored by Azure Security Center as recommendations. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UnencryptedVMDisks_Audit.json) |
-|[Service Fabric clusters should have the ClusterProtectionLevel property set to EncryptAndSign](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F617c02be-7f02-4efd-8836-3180d47b6c68) |Service Fabric provides three levels of protection (None, Sign and EncryptAndSign) for node-to-node communication using a primary cluster certificate. Set the protection level to ensure that all node-to-node messages are encrypted and digitally signed |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Fabric/ServiceFabric_AuditClusterProtectionLevel_Audit.json) |
-|[SQL managed instances should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F048248b0-55cd-46da-b1ff-39efd52db260) |Implementing Transparent Data Encryption (TDE) with your own key provides you with increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_EnsureServerTDEisEncryptedWithYourOwnKey_Audit.json) |
-|[SQL servers should use customer-managed keys to encrypt data at rest](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0d134df8-db83-46fb-ad72-fe0c9428c8dd) |Implementing Transparent Data Encryption (TDE) with your own key provides increased transparency and control over the TDE Protector, increased security with an HSM-backed external service, and promotion of separation of duties. This recommendation applies to organizations with a related compliance requirement. |AuditIfNotExists, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServer_EnsureServerTDEisEncryptedWithYourOwnKey_Audit.json) |
-|[Transparent Data Encryption on SQL databases should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F17k78e20-9358-41c9-923c-fb736d382a12) |Transparent data encryption should be enabled to protect data-at-rest and meet compliance requirements |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlDBEncryption_Audit.json) |
-|[Unattached disks should be encrypted](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2c89a2e5-7285-40fe-afe0-ae8654b92fb2) |This policy audits any unattached disk without encryption enabled. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/UnattachedDisk_Encryption_Audit.json) |
+|[Adaptive application controls for defining safe applications should be enabled on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47a6b606-51aa-4496-8bb7-64b11cf66adc) |Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControls_Audit.json) |
+
+## Logging and Threat Detection
-### Log and alert on changes to critical Azure resources
+### Enable threat detection for Azure resources
-**ID**: Azure Security Benchmark 4.9
+**ID**: Azure Security Benchmark LT-1
**Ownership**: Customer |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Azure Monitor should collect activity logs from all regions](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F41388f1c-2db0-4c25-95b2-35d7f5ccbfa9) |This policy audits the Azure Monitor log profile which does not export activities from all Azure supported regions including global. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ActivityLog_CaptureAllRegions.json) |
-
-## Vulnerability Management
+|[Advanced data security should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) |
+|[Azure Defender for App Service should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2913021d-f2fd-4f3d-b958-22354e2bdbcb) |Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnAppServices_Audit.json) |
+|[Azure Defender for Azure SQL Database servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7fe3b40f-802b-4cdd-8bd4-fd799c948cc2) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServers_Audit.json) |
+|[Azure Defender for container registries should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc25d9a16-bc35-4e15-a7e5-9db606bf9ed4) |Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainerRegistry_Audit.json) |
+|[Azure Defender for Key Vault should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e6763cc-5078-4e64-889d-ff4d9a839047) |Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKeyVaults_Audit.json) |
+|[Azure Defender for Kubernetes should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F523b5cd1-3e23-492f-a539-13118b6d1e3a) |Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKubernetesService_Audit.json) |
+|[Azure Defender for servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) |Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) |
+|[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) |
+|[Azure Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F308fbb08-4ab8-4e67-9b29-592e93fb94fa) |Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnStorageAccounts_Audit.json) |
-### Run automated vulnerability scanning tools
+### Enable threat detection for Azure identity and access management
-**ID**: Azure Security Benchmark 5.1
+**ID**: Azure Security Benchmark LT-2
**Ownership**: Customer |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
-|[Vulnerability assessment should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b7aa243-30e4-4c9e-bca8-d0d3022b634a) |Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) |
-|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) |Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) |
+|[Advanced data security should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) |
+|[Azure Defender for App Service should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2913021d-f2fd-4f3d-b958-22354e2bdbcb) |Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnAppServices_Audit.json) |
+|[Azure Defender for Azure SQL Database servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7fe3b40f-802b-4cdd-8bd4-fd799c948cc2) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServers_Audit.json) |
+|[Azure Defender for container registries should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc25d9a16-bc35-4e15-a7e5-9db606bf9ed4) |Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainerRegistry_Audit.json) |
+|[Azure Defender for Key Vault should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e6763cc-5078-4e64-889d-ff4d9a839047) |Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKeyVaults_Audit.json) |
+|[Azure Defender for Kubernetes should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F523b5cd1-3e23-492f-a539-13118b6d1e3a) |Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKubernetesService_Audit.json) |
+|[Azure Defender for servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) |Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) |
+|[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) |
+|[Azure Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F308fbb08-4ab8-4e67-9b29-592e93fb94fa) |Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnStorageAccounts_Audit.json) |
-### Deploy automated operating system patch management solution
+### Enable logging for Azure network activities
-**ID**: Azure Security Benchmark 5.2
+**ID**: Azure Security Benchmark LT-3
**Ownership**: Customer |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[System updates on virtual machine scale sets should be installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3f317a7-a95c-4547-b7e7-11017ebdf2fe) |Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingSystemUpdates_Audit.json) |
-|[System updates should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F86b3d65f-7626-441e-b690-81a8b71cff60) |Missing security system updates on your servers will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdates_Audit.json) |
+|[Network traffic data collection agent should be installed on Linux virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F04c4380f-3fae-46e8-96c9-30193528f602) |Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. |AuditIfNotExists, Disabled |[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Linux.json) |
+|[Network traffic data collection agent should be installed on Windows virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2f2ee1de-44aa-4762-b6bd-0893fc3f306d) |Security Center uses the Microsoft Dependency agent to collect network traffic data from your Azure virtual machines to enable advanced network protection features such as traffic visualization on the network map, network hardening recommendations and specific network threats. |AuditIfNotExists, Disabled |[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/ASC_Dependency_Agent_Audit_Windows.json) |
+|[Network Watcher should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb6e2945c-0b7b-40f5-9233-7a5323b5cdc6) |Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure. |auditIfNotExists |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json) |
-### Deploy automated third-party software patch management solution
+### Enable logging for Azure resources
-**ID**: Azure Security Benchmark 5.3
-**Ownership**: Customer
+**ID**: Azure Security Benchmark LT-4
+**Ownership**: Shared
|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Ensure that 'Java version' is the latest, if used as a part of the API app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F88999f4c-376a-45c8-bcb3-4058f713cf39) |Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_java_Latest.json) |
-|[Ensure that 'Java version' is the latest, if used as a part of the Function app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc) |Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_java_Latest.json) |
-|[Ensure that 'Java version' is the latest, if used as a part of the Web app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F496223c3-ad65-4ecd-878a-bae78737e9ed) |Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_java_Latest.json) |
-|[Ensure that 'PHP version' is the latest, if used as a part of the API app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba) |Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_PHP_Latest.json) |
-|[Ensure that 'PHP version' is the latest, if used as a part of the WEB app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7261b898-8a84-4db8-9e04-18527132abb3) |Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_PHP_Latest.json) |
-|[Ensure that 'Python version' is the latest, if used as a part of the API app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F74c3584d-afae-46f7-a20a-6f8adba71a16) |Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_python_Latest.json) |
-|[Ensure that 'Python version' is the latest, if used as a part of the Function app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7238174a-fd10-4ef0-817e-fc820a951d73) |Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_python_Latest.json) |
-|[Ensure that 'Python version' is the latest, if used as a part of the Web app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7008174a-fd10-4ef0-817e-fc820a951d73) |Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_python_Latest.json) |
-|[Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffb893a29-21bb-418c-a157-e99480ec364c) |Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UpgradeVersion_KubernetesService_Audit.json) |
+|[Auditing on SQL server should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa6fb4358-5bf4-4ad7-ba82-2cd2f41ce5e9) |Auditing on your SQL Server should be enabled to track database activities across all databases on the server and save them in an audit log. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlServerAuditing_Audit.json) |
+|[Diagnostic logs in App Services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb607c5de-e7d9-4eee-9e5c-83f1bcee4fa0) |Audit enabling of diagnostic logs on the app. This enables you to recreate activity trails for investigation purposes if a security incident occurs or your network is compromised |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_AuditLoggingMonitoring_Audit.json) |
+|[Diagnostic logs in Azure Data Lake Store should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F057ef27e-665e-4328-8ea3-04b3122bd9fb) |Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeStore_AuditDiagnosticLog_Audit.json) |
+|[Diagnostic logs in Azure Stream Analytics should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff9be5368-9bf5-4b84-9e0a-7850da98bb46) |Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Stream%20Analytics/StreamAnalytics_AuditDiagnosticLog_Audit.json) |
+|[Diagnostic logs in Batch accounts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F428256e6-1fac-4f48-a757-df34c2b3336d) |Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Batch/Batch_AuditDiagnosticLog_Audit.json) |
+|[Diagnostic logs in Data Lake Analytics should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc95c74d9-38fe-4f0d-af86-0c7d626a315c) |Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Data%20Lake/DataLakeAnalytics_AuditDiagnosticLog_Audit.json) |
+|[Diagnostic logs in Event Hub should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F83a214f7-d01a-484b-91a9-ed54470c9a6a) |Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Event%20Hub/EventHub_AuditDiagnosticLog_Audit.json) |
+|[Diagnostic logs in IoT Hub should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F383856f8-de7f-44a2-81fc-e5135b5c2aa4) |Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Internet%20of%20Things/IoTHub_AuditDiagnosticLog_Audit.json) |
+|[Diagnostic logs in Key Vault should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcf820ca0-f99e-4f3e-84fb-66e913812d21) |Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_AuditDiagnosticLog_Audit.json) |
+|[Diagnostic logs in Logic Apps should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34f95f76-5386-4de7-b824-0d8478470c9d) |Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Logic%20Apps/LogicApps_AuditDiagnosticLog_Audit.json) |
+|[Diagnostic logs in Search services should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb4330a05-a843-4bc8-bf9a-cacce50c67f4) |Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Search/Search_AuditDiagnosticLog_Audit.json) |
+|[Diagnostic logs in Service Bus should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff8d36e2f-389b-4ee4-898d-21aeb69a0f45) |Audit enabling of diagnostic logs. This enables you to recreate activity trails to use for investigation purposes; when a security incident occurs or when your network is compromised |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Service%20Bus/ServiceBus_AuditDiagnosticLog_Audit.json) |
+|[Diagnostic logs in Virtual Machine Scale Sets should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7c1b1214-f927-48bf-8882-84f0af6588b1) |It is recommended to enable Logs so that activity trail can be recreated when investigations are required in the event of an incident or a compromise. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ServiceFabric_and_VMSS_AuditVMSSDiagnostics.json) |
-### Use a risk-rating process to prioritize the remediation of discovered vulnerabilities
+### Centralize security log management and analysis
-**ID**: Azure Security Benchmark 5.5
+**ID**: Azure Security Benchmark LT-5
**Ownership**: Customer |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) |Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) |
-|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) |
-|[Vulnerabilities in security configuration on your virtual machine scale sets should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4) |Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json) |
-|[Vulnerabilities on your SQL databases should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) |
-|[Vulnerabilities should be remediated by a Vulnerability Assessment solution](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F760a85ff-6162-42b3-8d70-698e268f648c) |Monitors vulnerabilities detected by Vulnerability Assessment solution and VMs without a Vulnerability Assessment solution in Azure Security Center as recommendations. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VMVulnerabilities_Audit.json) |
+|[Auto provisioning of the Log Analytics agent should be enabled on your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F475aae12-b88a-4572-8b36-9b712b2b3a17) |To monitor for security vulnerabilities and threats, Azure Security Center collects data from your Azure virtual machines. Data is collected by the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA), which reads various security-related configurations and event logs from the machine and copies the data to your Log Analytics workspace for analysis. We recommend enabling auto provisioning to automatically deploy the agent to all supported Azure VMs and any new ones that are created. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Automatic_provisioning_log_analytics_monitoring_agent.json) |
+|[Log Analytics agent health issues should be resolved on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd62cfe2b-3ab0-4d41-980d-76803b58ca65) |Security Center uses the Log Analytics agent, formerly known as the Microsoft Monitoring Agent (MMA). To make sure your virtual machines are successfully monitored, you need to make sure the agent is installed on the virtual machines and properly collects security events to the configured workspace. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ResolveLaHealthIssues.json) |
+|[Log Analytics agent should be installed on your Linux Azure Arc machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F842c54e8-c2f9-4d79-ae8d-38d8b8019373) |This policy audits Linux Azure Arc machines if the Log Analytics agent is not installed. |AuditIfNotExists, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Linux_LogAnalytics_Audit.json) |
+|[Log Analytics agent should be installed on your virtual machine for Azure Security Center monitoring](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa4fe33eb-e377-4efb-ab31-0784311bc499) |This policy audits any Windows/Linux virtual machines (VMs) if the Log Analytics agent is not installed which Security Center uses to monitor for security vulnerabilities and threats |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVm.json) |
+|[Log Analytics agent should be installed on your virtual machine scale sets for Azure Security Center monitoring](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa3a6ea0c-e018-4933-9ef0-5aaa1501449b) |Security Center collects data from your Azure virtual machines (VMs) to monitor for security vulnerabilities and threats. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_InstallLaAgentOnVmss.json) |
+|[Log Analytics agent should be installed on your Windows Azure Arc machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd69b1763-b96d-40b8-a2d9-ca31e9fd0d3e) |This policy audits Windows Azure Arc machines if the Log Analytics agent is not installed. |AuditIfNotExists, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Monitoring/Arc_Windows_LogAnalytics_Audit.json) |
-## Inventory and Asset Management
+## Incident Response
-### Use only approved applications
+### Preparation setup incident notification
-**ID**: Azure Security Benchmark 6.8
+**ID**: Azure Security Benchmark IR-2
**Ownership**: Customer |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Adaptive application controls for defining safe applications should be enabled on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47a6b606-51aa-4496-8bb7-64b11cf66adc) |Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControls_Audit.json) |
+|[Email notification for high severity alerts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6e2593d9-add6-4083-9c9b-4b7d2188c899) |To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, enable email notifications for high severity alerts in Security Center. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification.json) |
+|[Email notification to subscription owner for high severity alerts should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0b15565f-aa9e-48ba-8619-45960f2c314d) |To ensure your subscription owners are notified when there is a potential security breach in their subscription, set email notifications to subscription owners for high severity alerts in Security Center. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Email_notification_to_subscription_owner.json) |
+|[Subscriptions should have a contact email address for security issues](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7) |To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Security_contact_email.json) |
-### Use only approved Azure services
+### Detection and analysis create incidents based on high quality alerts
-**ID**: Azure Security Benchmark 6.9
+**ID**: Azure Security Benchmark IR-3
**Ownership**: Customer |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Storage accounts should be migrated to new Azure Resource Manager resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F37e0d2fe-28a5-43d6-a273-67d37d1f5606) |Use new Azure Resource Manager for your storage accounts to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Classic_AuditForClassicStorages_Audit.json) |
-|[Virtual machines should be migrated to new Azure Resource Manager resources](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1d84d5fb-01f6-4d12-ba4f-4a26081d403d) |Use new Azure Resource Manager for your virtual machines to provide security enhancements such as: stronger access control (RBAC), better auditing, Azure Resource Manager based deployment and governance, access to managed identities, access to key vault for secrets, Azure AD-based authentication and support for tags and resource groups for easier security management |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/ClassicCompute_Audit.json) |
+|[Advanced data security should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) |
+|[Azure Defender for App Service should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2913021d-f2fd-4f3d-b958-22354e2bdbcb) |Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnAppServices_Audit.json) |
+|[Azure Defender for Azure SQL Database servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7fe3b40f-802b-4cdd-8bd4-fd799c948cc2) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServers_Audit.json) |
+|[Azure Defender for container registries should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc25d9a16-bc35-4e15-a7e5-9db606bf9ed4) |Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainerRegistry_Audit.json) |
+|[Azure Defender for Key Vault should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e6763cc-5078-4e64-889d-ff4d9a839047) |Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKeyVaults_Audit.json) |
+|[Azure Defender for Kubernetes should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F523b5cd1-3e23-492f-a539-13118b6d1e3a) |Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKubernetesService_Audit.json) |
+|[Azure Defender for servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) |Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) |
+|[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) |
+|[Azure Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F308fbb08-4ab8-4e67-9b29-592e93fb94fa) |Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnStorageAccounts_Audit.json) |
-### Implement approved application list
+### Detection and analysis prioritize incidents
-**ID**: Azure Security Benchmark 6.10
+**ID**: Azure Security Benchmark IR-5
**Ownership**: Customer |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Adaptive application controls for defining safe applications should be enabled on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47a6b606-51aa-4496-8bb7-64b11cf66adc) |Enable application controls to define the list of known-safe applications running on your machines, and alert you when other applications run. This helps harden your machines against malware. To simplify the process of configuring and maintaining your rules, Security Center uses machine learning to analyze the applications running on each machine and suggest the list of known-safe applications. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveApplicationControls_Audit.json) |
+|[Advanced data security should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fabfb7388-5bf4-4ad7-ba99-2cd2f41cebb9) |Audit each SQL Managed Instance without advanced data security. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/SqlManagedInstance_AdvancedDataSecurity_Audit.json) |
+|[Azure Defender for App Service should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2913021d-f2fd-4f3d-b958-22354e2bdbcb) |Azure Defender for App Service leverages the scale of the cloud, and the visibility that Azure has as a cloud provider, to monitor for common web app attacks. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnAppServices_Audit.json) |
+|[Azure Defender for Azure SQL Database servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7fe3b40f-802b-4cdd-8bd4-fd799c948cc2) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServers_Audit.json) |
+|[Azure Defender for container registries should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc25d9a16-bc35-4e15-a7e5-9db606bf9ed4) |Azure Defender for container registries provides vulnerability scanning of any images pulled within the last 30 days, pushed to your registry, or imported, and exposes detailed findings per image. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnContainerRegistry_Audit.json) |
+|[Azure Defender for Key Vault should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e6763cc-5078-4e64-889d-ff4d9a839047) |Azure Defender for Key Vault provides an additional layer of protection and security intelligence by detecting unusual and potentially harmful attempts to access or exploit key vault accounts. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKeyVaults_Audit.json) |
+|[Azure Defender for Kubernetes should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F523b5cd1-3e23-492f-a539-13118b6d1e3a) |Azure Defender for Kubernetes provides real-time threat protection for containerized environments and generates alerts for suspicious activities. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnKubernetesService_Audit.json) |
+|[Azure Defender for servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) |Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) |
+|[Azure Defender for SQL servers on machines should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F6581d072-105e-4418-827f-bd446d56421b) |Azure Defender for SQL provides functionality for surfacing and mitigating potential database vulnerabilities, detecting anomalous activities that could indicate threats to SQL databases, and discovering and classifying sensitive data. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedDataSecurityOnSqlServerVirtualMachines_Audit.json) |
+|[Azure Defender for Storage should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F308fbb08-4ab8-4e67-9b29-592e93fb94fa) |Azure Defender for Storage provides detections of unusual and potentially harmful attempts to access or exploit storage accounts. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnStorageAccounts_Audit.json) |
-## Secure Configuration
+## Posture and Vulnerability Management
-### Maintain secure operating system configurations
+### Sustain secure configurations for Azure services
+
+**ID**: Azure Security Benchmark PV-2
+**Ownership**: Customer
-**ID**: Azure Security Benchmark 7.4
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[Azure Policy Add-on for Kubernetes service (AKS) should be installed and enabled on your clusters](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a15ec92-a229-4763-bb14-0ea34a568f8d) |Azure Policy Add-on for Kubernetes service (AKS) extends Gatekeeper v3, an admission controller webhook for Open Policy Agent (OPA), to apply at-scale enforcements and safeguards on your clusters in a centralized, consistent manner. |Audit, Disabled |[1.0.1-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AKS_AzurePolicyAddOn_Audit.json) |
+|[CORS should not allow every resource to access your API App](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F358c20a6-3f9e-4f0e-97ff-c6ce485e2aac) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_ApiApp_Audit.json) |
+|[CORS should not allow every resource to access your Function Apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0820b7b9-23aa-4725-a1ce-ae4558f718e5) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json) |
+|[CORS should not allow every resource to access your Web Applications](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) |
+|[Do not allow privileged containers in Kubernetes cluster](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F95edb821-ddaf-4404-9732-666045e056b4) |This policy does not allow privileged containers creation in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, deny, disabled |[5.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilege.json) |
+|[Ensure API app has 'Client Certificates (Incoming client certificates)' set to 'On'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0c192fe8-9cbb-4516-85b3-0ade8bd03886) |Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_ClientCert.json) |
+|[Ensure container CPU and memory resource limits do not exceed the specified limits in Kubernetes cluster](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe345eecc-fa47-480f-9e88-67dcc122b164) |This policy ensures container CPU and memory resource limits are defined and do not exceed the specified limits in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, deny, disabled |[5.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerResourceLimits.json) |
+|[Ensure containers listen only on allowed ports in Kubernetes cluster](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F440b515e-a580-421e-abeb-b159a61ddcbc) |This policy enforces containers to listen only on allowed ports in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, deny, disabled |[5.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedPorts.json) |
+|[Ensure only allowed container images in Kubernetes cluster](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffebd0533-8e55-448f-b837-bd0e06f16469) |This policy ensures only allowed container images are running in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, deny, disabled |[5.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedImages.json) |
+|[Ensure services listen only on allowed ports in Kubernetes cluster](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F233a2a17-77ca-4fb1-9b6b-69223d272a44) |This policy enforces services to listen only on allowed ports in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, deny, disabled |[5.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ServiceAllowedPorts.json) |
+|[Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5bb220d9-2698-4ee4-8404-b9c30c9df609) |Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_ClientCert.json) |
+|[Function apps should have 'Client Certificates (Incoming client certificates)' enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Feaebaea7-8013-4ceb-9d14-7eb32271373c) |Client certificates allow for the app to request a certificate for incoming requests. Only clients with valid certificates will be able to reach the app. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_ClientCert.json) |
+|[Kubernetes cluster containers should not share host process ID or host IPC namespace](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F47a1ee2f-2a2a-4576-bf2a-e0e36709c2b8) |This policy blocks pod containers from sharing the host process ID namespace and host IPC namespace in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit [https://aka.ms/kubepolicydoc/](https://aka.ms/kubepolicydoc/). |audit, deny, disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/BlockHostNamespace.json) |
+|[Kubernetes cluster containers should only use allowed AppArmor profiles](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F511f5417-5d12-434d-ab2e-816901e72a5e) |This policy ensures containers only use allowed AppArmor profiles in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, deny, disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/EnforceAppArmorProfile.json) |
+|[Kubernetes cluster containers should only use allowed capabilities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc26596ff-4d70-4e6a-9a30-c2506bd2f80c) |This policy ensures containers only use allowed capabilities in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, deny, disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerAllowedCapabilities.json) |
+|[Kubernetes cluster containers should run with a read only root file system](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fdf49d893-a74c-421d-bc95-c663042e5b80) |This policy ensures containers run with a read only root file system in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit [https://aka.ms/kubepolicydoc/](https://aka.ms/kubepolicydoc/). |audit, deny, disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ReadOnlyRootFileSystem.json) |
+|[Kubernetes cluster pod hostPath volumes should only use allowed host paths](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F098fc59e-46c7-4d99-9b16-64990e543d75) |This policy ensures pod hostPath volumes can only use allowed host paths in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, deny, disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedHostPaths.json) |
+|[Kubernetes cluster pods and containers should only run with approved user and group IDs](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff06ddb64-5fa3-4b77-b166-acb36f7f6042) |This policy controls the user, primary group, supplemental group and file system group IDs that pods and containers can use to run in a Kubernetes Cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, deny, disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/AllowedUsersGroups.json) |
+|[Kubernetes cluster pods should only use approved host network and port range](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F82985f06-dc18-4a48-bc1c-b9f4f0098cfe) |This policy controls pod access to the host network and the allowable host port range in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, deny, disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/HostNetworkPorts.json) |
+|[Kubernetes clusters should not allow container privilege escalation](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1c6e92c9-99f0-4e55-9cf2-0c234dc48f99) |This policy does not allow containers to use privilege escalation in a Kubernetes cluster. This policy is generally available for Kubernetes Service (AKS), and preview for AKS Engine and Azure Arc enabled Kubernetes. For instructions on using this policy, visit [https://aka.ms/kubepolicydoc](https://aka.ms/kubepolicydoc). |audit, deny, disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Kubernetes/ContainerNoPrivilegeEscalation.json) |
+|[Remote debugging should be turned off for API Apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe9c8d085-d9cc-4b17-9cdc-059f1f01f19e) |Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_ApiApp_Audit.json) |
+|[Remote debugging should be turned off for Function Apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) |
+|[Remote debugging should be turned off for Web Applications](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcb510bfd-1cba-4d9f-a230-cb0976f4bb71) |Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_WebApp_Audit.json) |
+
+### Sustain secure configurations for compute resources
+
+**ID**: Azure Security Benchmark PV-4
**Ownership**: Shared |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
@@ -443,63 +493,75 @@ This built-in initiative is deployed as part of the
|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) | |[Vulnerabilities in security configuration on your virtual machine scale sets should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4) |Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json) |
-### Implement automated configuration monitoring for operating systems
+### Perform software vulnerability assessments
-**ID**: Azure Security Benchmark 7.10
+**ID**: Azure Security Benchmark PV-6
**Ownership**: Customer |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Vulnerabilities in container security configurations should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe8cbc669-f12d-49eb-93e7-9273119e9933) |Audit vulnerabilities in security configuration on machines with Docker installed and display as recommendations in Azure Security Center. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerBenchmark_Audit.json) |
-|[Vulnerabilities in security configuration on your machines should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe1e5fd5d-3e4c-4ce1-8661-7d1873ae6b15) |Servers which do not satisfy the configured baseline will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OSVulnerabilities_Audit.json) |
-|[Vulnerabilities in security configuration on your virtual machine scale sets should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3c735d8a-a4ba-4a3a-b7cf-db7754cf57f4) |Audit the OS vulnerabilities on your virtual machine scale sets to protect them from attacks. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssOSVulnerabilities_Audit.json) |
+|[A vulnerability assessment solution should be enabled on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F501541f7-f7e7-4cd6-868c-4190fdad3ac9) |Audits virtual machines to detect whether they are running a supported vulnerability assessment solution. A core component of every cyber risk and security program is the identification and analysis of vulnerabilities. Azure Security Center's standard pricing tier includes vulnerability scanning for your virtual machines at no extra cost. Additionally, Security Center can automatically deploy this tool for you. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ServerVulnerabilityAssessment_Audit.json) |
+|[Vulnerabilities in Azure Container Registry images should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5f0f936f-2f01-4bf5-b6be-d423792fa562) |Container image vulnerability assessment scans your registry for security vulnerabilities on each pushed container image and exposes detailed findings for each image (powered by Qualys). Resolving the vulnerabilities can greatly improve your containers' security posture and protect them from attacks. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_ContainerRegistryVulnerabilityAssessment_Audit.json) |
+|[Vulnerabilities on your SQL databases should be remediated](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffeedbf84-6b99-488c-acc2-71c829aa5ffc) |Monitor Vulnerability Assessment scan results and recommendations for how to remediate database vulnerabilities. |AuditIfNotExists, Disabled |[4.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_SQLDbVulnerabilities_Audit.json) |
+|[Vulnerability assessment should be enabled on SQL Managed Instance](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1b7aa243-30e4-4c9e-bca8-d0d3022b634a) |Audit each SQL Managed Instance which doesn't have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnManagedInstance_Audit.json) |
+|[Vulnerability assessment should be enabled on your SQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fef2a8f2a-b3d9-49cd-a8a8-9a3aaaf647d9) |Audit Azure SQL servers which do not have recurring vulnerability assessment scans enabled. Vulnerability assessment can discover, track, and help you remediate potential database vulnerabilities. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/VulnerabilityAssessmentOnServer_Audit.json) |
-### Manage Azure secrets securely
+### Rapidly and automatically remediate software vulnerabilities
-**ID**: Azure Security Benchmark 7.11
+**ID**: Azure Security Benchmark PV-7
**Ownership**: Customer |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Key vaults should have purge protection enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0b60c0b2-2dc2-4e1c-b5c9-abbed971de53) |Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. |Audit, Deny, Disabled |[1.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_Recoverable_Audit.json) |
+|[Ensure that 'Java version' is the latest, if used as a part of the API app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F88999f4c-376a-45c8-bcb3-4058f713cf39) |Periodically, newer versions are released for Java either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_java_Latest.json) |
+|[Ensure that 'Java version' is the latest, if used as a part of the Function app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F9d0b6ea4-93e2-4578-bf2f-6bb17d22b4bc) |Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_java_Latest.json) |
+|[Ensure that 'Java version' is the latest, if used as a part of the Web app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F496223c3-ad65-4ecd-878a-bae78737e9ed) |Periodically, newer versions are released for Java software either due to security flaws or to include additional functionality. Using the latest Java version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_java_Latest.json) |
+|[Ensure that 'PHP version' is the latest, if used as a part of the API app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1bc1795e-d44a-4d48-9b3b-6fff0fd5f9ba) |Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_PHP_Latest.json) |
+|[Ensure that 'PHP version' is the latest, if used as a part of the WEB app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7261b898-8a84-4db8-9e04-18527132abb3) |Periodically, newer versions are released for PHP software either due to security flaws or to include additional functionality. Using the latest PHP version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_PHP_Latest.json) |
+|[Ensure that 'Python version' is the latest, if used as a part of the API app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F74c3584d-afae-46f7-a20a-6f8adba71a16) |Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for API apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_ApiApp_Audit_python_Latest.json) |
+|[Ensure that 'Python version' is the latest, if used as a part of the Function app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7238174a-fd10-4ef0-817e-fc820a951d73) |Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for Function apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_FunctionApp_Audit_python_Latest.json) |
+|[Ensure that 'Python version' is the latest, if used as a part of the Web app](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7008174a-fd10-4ef0-817e-fc820a951d73) |Periodically, newer versions are released for Python software either due to security flaws or to include additional functionality. Using the latest Python version for web apps is recommended in order to take advantage of security fixes, if any, and/or new functionalities of the latest version. Currently, this policy only applies to Linux web apps. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_WebApp_Audit_python_Latest.json) |
+|[Kubernetes Services should be upgraded to a non-vulnerable Kubernetes version](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffb893a29-21bb-418c-a157-e99480ec364c) |Upgrade your Kubernetes service cluster to a later Kubernetes version to protect against known vulnerabilities in your current Kubernetes version. Vulnerability CVE-2019-9946 has been patched in Kubernetes versions 1.11.9+, 1.12.7+, 1.13.5+, and 1.14.0+ |Audit, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_UpgradeVersion_KubernetesService_Audit.json) |
+|[System updates on virtual machine scale sets should be installed](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc3f317a7-a95c-4547-b7e7-11017ebdf2fe) |Audit whether there are any missing system security updates and critical updates that should be installed to ensure that your Windows and Linux virtual machine scale sets are secure. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingSystemUpdates_Audit.json) |
+|[System updates should be installed on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F86b3d65f-7626-441e-b690-81a8b71cff60) |Missing security system updates on your servers will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingSystemUpdates_Audit.json) |
+
+## Endpoint Security
-### Manage identities securely and automatically
+### Use Endpoint Detection and Response (EDR)
-**ID**: Azure Security Benchmark 7.12
+**ID**: Azure Security Benchmark ES-1
**Ownership**: Customer |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Managed identity should be used in your API App](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc4d441f8-f9d9-4a9e-9cef-e82117cb3eef) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_ApiApp_Audit.json) |
-|[Managed identity should be used in your Function App](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0da106f2-4ca3-48e8-bc85-c638fe6aea8f) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_FunctionApp_Audit.json) |
-|[Managed identity should be used in your Web App](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2b9ad585-36bc-4615-b300-fd4435808332) |Use a managed identity for enhanced authentication security |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_UseManagedIdentity_WebApp_Audit.json) |
+|[Azure Defender for servers should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4da35fc9-c9e7-4960-aec9-797fe7d9051d) |Azure Defender for servers provides real-time threat protection for server workloads and generates hardening recommendations as well as alerts about suspicious activities. |AuditIfNotExists, Disabled |[1.0.3](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableAdvancedThreatProtectionOnVM_Audit.json) |
-## Malware Defense
+### Use centrally managed modern anti-malware software
-### Use centrally managed anti-malware software
-
-**ID**: Azure Security Benchmark 8.1
+**ID**: Azure Security Benchmark ES-2
**Ownership**: Customer |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| |[Endpoint protection solution should be installed on virtual machine scale sets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F26a828e1-e88f-464e-bbb3-c134a282b9de) |Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingEndpointProtection_Audit.json) | |[Monitor missing Endpoint Protection in Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf6cd1bd-1635-48cb-bde7-5b15693900b9) |Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json) |
+|[Windows Defender Exploit Guard should be enabled on your machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbed48b13-6647-468e-aa2f-1af1d3f4dd40) |Windows Defender Exploit Guard uses the Azure Policy Guest Configuration agent. Exploit Guard has four components that are designed to lock down devices against a wide variety of attack vectors and block behaviors commonly used in malware attacks while enabling enterprises to balance their security risk and productivity requirements (Windows only). |AuditIfNotExists, Disabled |[1.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_WindowsDefenderExploitGuard_AINE.json) |
### Ensure anti-malware software and signatures are updated
-**ID**: Azure Security Benchmark 8.3
+**ID**: Azure Security Benchmark ES-3
**Ownership**: Customer |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | |||||
-|[Microsoft Antimalware for Azure should be configured to automatically update protection signatures](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc43e4a30-77cb-48ab-a4dd-93f175c63b57) |This policy audits any Windows virtual machine not configured with automatic update of Microsoft Antimalware protection signatures. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Compute/VirtualMachines_AntiMalwareAutoUpdate_AuditIfNotExists.json) |
+|[Endpoint protection solution should be installed on virtual machine scale sets](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F26a828e1-e88f-464e-bbb3-c134a282b9de) |Audit the existence and health of an endpoint protection solution on your virtual machines scale sets, to protect them from threats and vulnerabilities. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_VmssMissingEndpointProtection_Audit.json) |
+|[Monitor missing Endpoint Protection in Azure Security Center](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Faf6cd1bd-1635-48cb-bde7-5b15693900b9) |Servers without an installed Endpoint Protection agent will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_MissingEndpointProtection_Audit.json) |
-## Data Recovery
+## Backup and Recovery
-### Ensure regular automated back ups
+### Ensure regular automated backups
-**ID**: Azure Security Benchmark 9.1
+**ID**: Azure Security Benchmark BR-1
**Ownership**: Customer |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
@@ -510,9 +572,9 @@ This built-in initiative is deployed as part of the
|[Geo-redundant backup should be enabled for Azure Database for PostgreSQL](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F48af4db5-9b8b-401c-8e74-076be876a430) |Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_DBForPostgreSQL_Audit.json) | |[Long-term geo-redundant backup should be enabled for Azure SQL Databases](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd38fc420-0735-4ef3-ac11-c806f651a570) |This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_SQLDatabase_AuditIfNotExists.json) |
-### Perform complete system backups and backup any customer managed keys
+### Encrypt backup data
-**ID**: Azure Security Benchmark 9.2
+**ID**: Azure Security Benchmark BR-2
**Ownership**: Customer |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
@@ -523,26 +585,15 @@ This built-in initiative is deployed as part of the
|[Geo-redundant backup should be enabled for Azure Database for PostgreSQL](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F48af4db5-9b8b-401c-8e74-076be876a430) |Azure Database for PostgreSQL allows you to choose the redundancy option for your database server. It can be set to a geo-redundant backup storage in which the data is not only stored within the region in which your server is hosted, but is also replicated to a paired region to provide recovery option in case of a region failure. Configuring geo-redundant storage for backup is only allowed during server create. |Audit, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_DBForPostgreSQL_Audit.json) | |[Long-term geo-redundant backup should be enabled for Azure SQL Databases](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd38fc420-0735-4ef3-ac11-c806f651a570) |This policy audits any Azure SQL Database with long-term geo-redundant backup not enabled. |AuditIfNotExists, Disabled |[2.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/GeoRedundant_SQLDatabase_AuditIfNotExists.json) |
-### Ensure protection of backups and customer managed keys
+### Mitigate risk of lost keys
-**ID**: Azure Security Benchmark 9.4
+**ID**: Azure Security Benchmark BR-4
**Ownership**: Customer |Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> | ||||| |[Key vaults should have purge protection enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0b60c0b2-2dc2-4e1c-b5c9-abbed971de53) |Malicious deletion of a key vault can lead to permanent data loss. A malicious insider in your organization can potentially delete and purge key vaults. Purge protection protects you from insider attacks by enforcing a mandatory retention period for soft deleted key vaults. No one inside your organization or Microsoft will be able to purge your key vaults during the soft delete retention period. |Audit, Deny, Disabled |[1.1.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_Recoverable_Audit.json) |-
-## Incident Response
-
-### Provide security incident contact details and configure alert notifications for security incidents
-
-**ID**: Azure Security Benchmark 10.4
-**Ownership**: Customer
-
-|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
-|||||
-|[A security contact phone number should be provided for your subscription](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb4d66858-c922-44e3-9566-5cdb7a7be744) |Enter a phone number to receive notifications when Azure Security Center detects compromised resources |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Security_contact_phone_number.json) |
-|[Subscriptions should have a contact email address for security issues](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F4f4f78b8-e367-4b10-a341-d9a4ad5cf1c7) |To ensure the relevant people in your organization are notified when there is a potential security breach in one of your subscriptions, set a security contact to receive email notifications from Security Center. |AuditIfNotExists, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_Security_contact_email.json) |
+|[Key vaults should have soft delete enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F1e66c121-a66a-4b1f-9b83-0fd99bf0fc2d) |Deleting a key vault without soft delete enabled permanently deletes all secrets, keys, and certificates stored in the key vault. Accidental deletion of a key vault can lead to permanent data loss. Soft delete allows you to recover an accidently deleted key vault for a configurable retention period. |Audit, Deny, Disabled |[1.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Key%20Vault/KeyVault_SoftDeleteMustBeEnabled_Audit.json) |
> [!NOTE] > Availability of specific Azure Policy definitions may vary in Azure Government and other national
governance https://docs.microsoft.com/en-us/azure/governance/policy/samples/azure-security-benchmarkv1 https://github.com/MicrosoftDocs/azure-docs/commits/master/articles/governance/policy/samples/azure-security-benchmarkv1.md new file mode 100644 /dev/null
@@ -0,0 +1,557 @@
+
+ Title: Regulatory Compliance details for Azure Security Benchmark v1
+description: Details of the Azure Security Benchmark v1 Regulatory Compliance built-in initiative. Each control is mapped to one or more Azure Policy definitions that assist with assessment.
Last updated : 01/25/2021+++
+# Details of the Azure Security Benchmark v1 Regulatory Compliance built-in initiative
+
+The following article details how the Azure Policy Regulatory Compliance built-in initiative
+definition maps to **compliance domains** and **controls** in Azure Security Benchmark v1.
+For more information about this compliance standard, see
+[Azure Security Benchmark v1](../../../security/benchmarks/overview.md). To understand
+_Ownership_, see [Azure Policy policy definition](../concepts/definition-structure.md#type) and
+[Shared responsibility in the cloud](../../../security/fundamentals/shared-responsibility.md).
+
+The following mappings are to the **Azure Security Benchmark v1** controls. Use the
+navigation on the right to jump directly to a specific **compliance domain**. Many of the controls
+are implemented with an [Azure Policy](../overview.md) initiative definition. To review the complete
+initiative definition, open **Policy** in the Azure portal and select the **Definitions** page.
+Then, find and select the **Azure Security Benchmark v1** Regulatory Compliance built-in
+initiative definition.
+
+This built-in initiative is deployed as part of the
+[Azure Security Benchmark v1 blueprint sample](../../blueprints/samples/azure-security-benchmark.md).
+
+> [!IMPORTANT]
+> Each control below is associated with one or more [Azure Policy](../overview.md) definitions.
+> These policies may help you [assess compliance](../how-to/get-compliance-data.md) with the
+> control; however, there often is not a one-to-one or complete match between a control and one or
+> more policies. As such, **Compliant** in Azure Policy refers only to the policy definitions
+> themselves; this doesn't ensure you're fully compliant with all requirements of a control. In
+> addition, the compliance standard includes controls that aren't addressed by any Azure Policy
+> definitions at this time. Therefore, compliance in Azure Policy is only a partial view of your
+> overall compliance status. The associations between compliance domains, controls, and Azure Policy
+> definitions for this compliance standard may change over time. To view the change history, see the
+> [GitHub Commit History](https://github.com/Azure/azure-policy/commits/master/built-in-policies/policySetDefinitions/Regulatory%20Compliance/asb_audit.json).
+
+## Network Security
+
+### Protect resources using Network Security Groups or Azure Firewall on your Virtual Network
+
+**ID**: Azure Security Benchmark 1.1
+**Ownership**: Customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[Adaptive network hardening recommendations should be applied on internet facing virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08e6af2d-db70-460a-bfe9-d5bd474ba9d6) |Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json) |
+|[All Internet traffic should be routed via your deployed Azure Firewall](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffc5e4038-4584-4632-8c85-c0448d374b2c) |Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall |AuditIfNotExists, Disabled |[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ASC_All_Internet_traffic_should_be_routed_via_Azure_Firewall.json) |
+|[App Service should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F2d21331d-a4c2-4def-a9ad-ee4e1e023beb) |This policy audits any App Service not configured to use a virtual network service endpoint. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_AppService_AuditIfNotExists.json) |
+|[Authorized IP ranges should be defined on Kubernetes Services](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e246bcf-5f6f-4f87-bc6f-775d4712c7ea) |Restrict access to the Kubernetes Service Management API by granting API access only to IP addresses in specific ranges. It is recommended to limit access to authorized IP ranges to ensure that only applications from allowed networks can access the cluster. |Audit, Disabled |[2.0.1](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableIpRanges_KubernetesService_Audit.json) |
+|[Container Registry should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fc4857be7-912a-4c75-87e6-e30292bcdf78) |This policy audits any Container Registry not configured to use a virtual network service endpoint. |Audit, Disabled |[1.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_ContainerRegistry_Audit.json) |
+|[Cosmos DB should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe0a2b1a3-f7f9-4569-807f-2a9edebdf4d9) |This policy audits any Cosmos DB not configured to use a virtual network service endpoint. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_CosmosDB_Audit.json) |
+|[Event Hub should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd63edb4a-c612-454d-b47d-191a724fcbf0) |This policy audits any Event Hub not configured to use a virtual network service endpoint. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_EventHub_AuditIfNotExists.json) |
+|[Internet-facing virtual machines should be protected with network security groups](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff6de0be7-9a8a-4b8a-b349-43cf02d22f7c) |Protect your virtual machines from potential threats by restricting access to them with network security groups (NSG). Learn more about controlling traffic with NSGs at [https://aka.ms/nsg-doc](https://aka.ms/nsg-doc) |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnInternetFacingVirtualMachines_Audit.json) |
+|[IP Forwarding on your virtual machine should be disabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fbd352bd5-2853-4985-bf0d-73806b4a5744) |Enabling IP forwarding on a virtual machine's NIC allows the machine to receive traffic addressed to other destinations. IP forwarding is rarely required (e.g., when using the VM as a network virtual appliance), and therefore, this should be reviewed by the network security team. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_IPForwardingOnVirtualMachines_Audit.json) |
+|[Key Vault should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fea4d6841-2173-4317-9747-ff522a45120f) |This policy audits any Key Vault not configured to use a virtual network service endpoint. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_KeyVault_Audit.json) |
+|[Management ports of virtual machines should be protected with just-in-time network access control](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb0f33259-77d7-4c9e-aac6-3aabcfae693c) |Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_JITNetworkAccess_Audit.json) |
+|[Management ports should be closed on your virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F22730e10-96f6-4aac-ad84-9383d35b5917) |Open remote management ports are exposing your VM to a high level of risk from Internet-based attacks. These attacks attempt to brute force credentials to gain admin access to the machine. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_OpenManagementPortsOnVirtualMachines_Audit.json) |
+|[Private endpoint should be enabled for MariaDB servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0a1302fb-a631-4106-9753-f3d494733990) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MariaDB. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MariaDB_EnablePrivateEndPoint_Audit.json) |
+|[Private endpoint should be enabled for MySQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F7595c971-233d-4bcf-bd18-596129188c49) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for MySQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/MySQL_EnablePrivateEndPoint_Audit.json) |
+|[Private endpoint should be enabled for PostgreSQL servers](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0564d078-92f5-4f97-8398-b9f58a51f70b) |Private endpoint connections enforce secure communication by enabling private connectivity to Azure Database for PostgreSQL. Configure a private endpoint connection to enable access to traffic coming only from known networks and prevent access from all other IP addresses, including within Azure. |AuditIfNotExists, Disabled |[1.0.2](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/SQL/PostgreSQL_EnablePrivateEndPoint_Audit.json) |
+|[Service Bus should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F235359c5-7c52-4b82-9055-01c75cf9f60e) |This policy audits any Service Bus not configured to use a virtual network service endpoint. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_ServiceBus_AuditIfNotExists.json) |
+|[SQL Server should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fae5d2f14-d830-42b6-9899-df6cfe9c71a3) |This policy audits any SQL Server not configured to use a virtual network service endpoint. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_SQLServer_AuditIfNotExists.json) |
+|[Storage accounts should restrict network access](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F34c877ad-507e-4c82-993e-3452a6e0ad3c) |Network access to storage accounts should be restricted. Configure network rules so only applications from allowed networks can access the storage account. To allow connections from specific internet or on-premise clients, access can be granted to traffic from specific Azure virtual networks or to public internet IP address ranges |Audit, Deny, Disabled |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Storage/Storage_NetworkAcls_Audit.json) |
+|[Storage Accounts should use a virtual network service endpoint](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F60d21c4f-21a3-4d94-85f4-b924e6aeeda4) |This policy audits any Storage Account not configured to use a virtual network service endpoint. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetworkServiceEndpoint_StorageAccount_Audit.json) |
+|[Subnets should be associated with a Network Security Group](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe71308d3-144b-4262-b144-efdc3cc90517) |Protect your subnet from potential threats by restricting access to it with a Network Security Group (NSG). NSGs contain a list of Access Control List (ACL) rules that allow or deny network traffic to your subnet. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_NetworkSecurityGroupsOnSubnets_Audit.json) |
+|[Virtual machines should be connected to an approved virtual network](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fd416745a-506c-48b6-8ab1-83cb814bcaa3) |This policy audits any virtual machine connected to a virtual network that is not approved. |Audit, Deny, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ApprovedVirtualNetwork_Audit.json) |
+|[Virtual networks should use specified virtual network gateway](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ff1776c76-f58c-4245-a8d0-2b207198dc8b) |This policy audits any virtual network if the default route does not point to the specified virtual network gateway. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/VirtualNetwork_ApprovedVirtualNetworkGateway_AuditIfNotExists.json) |
+
+### Monitor and log the configuration and traffic of Vnets, Subnets, and NICs
+
+**ID**: Azure Security Benchmark 1.2
+**Ownership**: Customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[Network Watcher should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb6e2945c-0b7b-40f5-9233-7a5323b5cdc6) |Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure. |auditIfNotExists |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json) |
+
+### Protect critical web applications
+
+**ID**: Azure Security Benchmark 1.3
+**Ownership**: Customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[CORS should not allow every resource to access your API App](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F358c20a6-3f9e-4f0e-97ff-c6ce485e2aac) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your API app. Allow only required domains to interact with your API app. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_ApiApp_Audit.json) |
+|[CORS should not allow every resource to access your Function Apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0820b7b9-23aa-4725-a1ce-ae4558f718e5) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your Function app. Allow only required domains to interact with your Function app. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_FuntionApp_Audit.json) |
+|[CORS should not allow every resource to access your Web Applications](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5744710e-cc2f-4ee8-8809-3b11e89f4bc9) |Cross-Origin Resource Sharing (CORS) should not allow all domains to access your web application. Allow only required domains to interact with your web app. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_RestrictCORSAccess_WebApp_Audit.json) |
+|[Ensure WEB app has 'Client Certificates (Incoming client certificates)' set to 'On'](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F5bb220d9-2698-4ee4-8404-b9c30c9df609) |Client certificates allow for the app to request a certificate for incoming requests. Only clients that have a valid certificate will be able to reach the app. |Audit, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_Webapp_Audit_ClientCert.json) |
+|[Remote debugging should be turned off for API Apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fe9c8d085-d9cc-4b17-9cdc-059f1f01f19e) |Remote debugging requires inbound ports to be opened on API apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_ApiApp_Audit.json) |
+|[Remote debugging should be turned off for Function Apps](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F0e60b895-3786-45da-8377-9c6b4b6ac5f9) |Remote debugging requires inbound ports to be opened on function apps. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_FunctionApp_Audit.json) |
+|[Remote debugging should be turned off for Web Applications](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fcb510bfd-1cba-4d9f-a230-cb0976f4bb71) |Remote debugging requires inbound ports to be opened on a web application. Remote debugging should be turned off. |AuditIfNotExists, Disabled |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/App%20Service/AppService_DisableRemoteDebugging_WebApp_Audit.json) |
+
+### Deny communications with known malicious IP addresses
+
+**ID**: Azure Security Benchmark 1.4
+**Ownership**: Customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[Adaptive network hardening recommendations should be applied on internet facing virtual machines](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F08e6af2d-db70-460a-bfe9-d5bd474ba9d6) |Azure Security Center analyzes the traffic patterns of Internet facing virtual machines and provides Network Security Group rule recommendations that reduce the potential attack surface |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_AdaptiveNetworkHardenings_Audit.json) |
+|[All Internet traffic should be routed via your deployed Azure Firewall](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Ffc5e4038-4584-4632-8c85-c0448d374b2c) |Azure Security Center has identified that some of your subnets aren't protected with a next generation firewall. Protect your subnets from potential threats by restricting access to them with Azure Firewall or a supported next generation firewall |AuditIfNotExists, Disabled |[3.0.0-preview](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/ASC_All_Internet_traffic_should_be_routed_via_Azure_Firewall.json) |
+|[Azure DDoS Protection Standard should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fa7aca53f-2ed4-4466-a25e-0b45ade68efd) |DDoS protection standard should be enabled for all virtual networks with a subnet that is part of an application gateway with a public IP. |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_EnableDDoSProtection_Audit.json) |
+|[Management ports of virtual machines should be protected with just-in-time network access control](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb0f33259-77d7-4c9e-aac6-3aabcfae693c) |Possible network Just In Time (JIT) access will be monitored by Azure Security Center as recommendations |AuditIfNotExists, Disabled |[3.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Security%20Center/ASC_JITNetworkAccess_Audit.json) |
+
+### Record network packets and flow logs
+
+**ID**: Azure Security Benchmark 1.5
+**Ownership**: Customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[Network Watcher should be enabled](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2Fb6e2945c-0b7b-40f5-9233-7a5323b5cdc6) |Network Watcher is a regional service that enables you to monitor and diagnose conditions at a network scenario level in, to, and from Azure. Scenario level monitoring enables you to diagnose problems at an end to end network level view. Network diagnostic and visualization tools available with Network Watcher help you understand, diagnose, and gain insights to your network in Azure. |auditIfNotExists |[1.1.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Network/NetworkWatcher_Enabled_Audit.json) |
+
+### Use automated tools to monitor network resource configurations and detect changes
+
+**ID**: Azure Security Benchmark 1.11
+**Ownership**: Customer
+
+|Name<br /><sub>(Azure portal)</sub> |Description |Effect(s) |Version<br /><sub>(GitHub)</sub> |
+|||||
+|[Add system-assigned managed identity to enable Guest Configuration assignments on virtual machines with no identities](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F3cf2ab00-13f1-4d0c-8971-2ac904541a7e) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration but do not have any managed identities. A system-assigned managed identity is a prerequisite for all Guest Configuration assignments and must be added to machines before using any Guest Configuration policy definitions. For more information on Guest Configuration, visit [https://aka.ms/gcpol](https://aka.ms/gcpol). |modify |[1.0.0](https://github.com/Azure/azure-policy/blob/master/built-in-policies/policyDefinitions/Guest%20Configuration/GuestConfiguration_AddSystemIdentityWhenNone_Prerequisite.json) |
+|[Add system-assigned managed identity to enable Guest Configuration assignments on VMs with a user-assigned identity](https://portal.azure.com/#blade/Microsoft_Azure_Policy/PolicyDetailBlade/definitionId/%2Fproviders%2FMicrosoft.Authorization%2FpolicyDefinitions%2F497dff13-db2a-4c0f-8603-28fa3b331ab6) |This policy adds a system-assigned managed identity to virtual machines hosted in Azure that are supported by Guest Configuration and have at least one user-assigned identity but do not have a system-assigned managed identity. A system-assigned managed identity is a prerequisite for all Gues